Lenovo attacked in retaliation for spyware Superfish
At midnight on the main page of Lenovo.com, a slide show with images of teenagers appeared, which was clearly not intended for advertising laptops and smartphones. When the page was opened, the song “Breaking Free” from the movie “High School Musical” began to play. At 7 a.m. (Moscow time), a stub hung on the site, and its work was restored only after a few hours.
According to The Hacker News, hackers from Lizard Squad were involved in the hacking of the site, which follows from a message on Twittergroups. The slideshow used photos of its active members Ryan King and Rory Andrew Godfrey, who were arrested after recent attacks on gaming services. In addition, a phrase about a new rebranding of the Lenovo site with Ryan King and Rory Andrew Godfrey has been added to the code of the web page.
The Verge edition cites Jonathan Zdzyarski’s assumption of a site attack mechanism that links it to domain spoofing. He discovered changes in Whois - in particular, a change of DNS servers and a move to Cloudflare.
In addition to the site, hackers gained access to the correspondence of Lenovo employees.
Another letter says that removing Superfish from one of the users caused the computer to crash.
Recall that on February 19 it became known about the Superfish program, which since the summer of 2014 comes with laptops of the G, U, Y, Z, S, Flex, Miix, Yoga, and E series. Utilityit listens for traffic, including HTTPS, forges SSL certificates of third-party sites, analyzes user searches and inserts ads on pages of third-party resources. Following the scandal, Lenovo issued an official letter acknowledging the problem of Superfish and introducing various ways to remove the utility.
Interestingly, a few days before the sabotage against the largest computer manufacturer, the Facebook security department conducted its own investigation, which resulted in the discovery of several more programs using the same library from Komodia as in Superfish.
- CartCrunch Israel LTD
- WiredTools LTD
- Say Media Group LTD
- Over the rainbow
- Tech system alert
- Arcade giant
- Objectify Media Inc
- Catalytix web services
The Komodia library modifies the Windows network stack and installs a new root certification authority, which allows such applications to impersonate any site that supports SSL.
The Hacker News provides a list of hashes that identify malware that contains Komodia’s library.