Pierluigi Paganini February 24, 2015

Alleged Hacker belonging to the hacking crew Lizard Squad run a DNS hajacking attack against the Google Vietnam domain.

A nasty surprise for Internet users who visited the Google Vietnam website that was presented with a picture of a man taking a selfie, along with a message that claimed the website site was hacked by the popular hacking crew Lizard Squad.

The Lizard Squad team is the hacking collective that ridiculed the IT giants Microsoft and Sony in the Christmas day, the popular hackers have brought down the Play Station Network and the Xbox live service affecting hundreds million users worldwide.

The group of hackers also advertised their DDoS hacking service dubbed Lizard Stresser, that is now called Shenron.

The hackers haven’t compromised Google servers, instead they run a DNS hijacking in order to redirect the visitors of to the Google Vietnam website to defacement page.

According to OpenDNS, the alleged members of the Lizard Squad redirected visitors by changing the Google nameservers (ns1.google.com, ns2.google.com) to CloudFlare IP addresses (173.245.59.108, 173.245.58.166), meanwhile the landing page used for the defacement  had been stored on a DigitalOcean-hosted server located in the Netherlands.

Fortunately CloudFlare and the Vietnam Internet Network Information Center (VNNIC) have reacted quickly to avert the worst. The nameserver records were restored in a couple of hours after the attack  had changed them.

The experts from OpenDNS consider the choice of DigitalOcean a clever move, they speculate that Lizard Squad has used it because DigitalOcean is an IPv6 IP that could help them to confuse network analysts and legacy tools.

IP address in question was an IPv6 IP – 2a03:b0c0:2:d0::23a:c001.

Prefix: 2a03:b0c0:2::/48

Prefix description: DigitalOcean

Country code: NL

Origin AS: 202018

Origin AS Name: DOAMS3 — DigitalOcean Amsterdam

RPKI status: No ROA found First seen: 2014-08-13 Last seen: 2015-02-23 Seen by #peers: 170 - See more

First seen: 2014-08-13 Last seen: 2015-02-23 Seen by #peers: 170 - See more

Last seen: 2015-02-23 Seen by #peers: 170 - See more

“The hosting of the site in The Netherlands, when combined with the load balancing capabilities of employing CloudFlare’s infrastructure, does signal that at least some thought was put into managing the considerable amount of web traffic generated by Google-related requests,” OpenDNS’s Andrew Hay wrote in a blog post.

“We suspect that the use of IPv6 for malicious and fraudulent sites will become increasingly commonplace, especially as VPS providers stop giving customers the choice to select an IPv4 or IPv6 IP address for their server,” 

According to the VNNIC, Google and the targeted domain registrar are investigating on the breach.

Pierluigi Paganini

(Security Affairs –  Google, Lizard Squad)