Update on DNS hijack of leaseweb.com website

As one of the largest hosting providers in the world, with almost four percent of the entire global IP traffic under our management, LeaseWeb continuously combats cybercrime in its many forms, dealing swiftly and professionally with any detected malicious activity within its network. Last weekend the leaseweb.com website was unfortunately a direct target of cybercriminals itself. For a short period of time some visitors of leaseweb.com were redirected to another, non-LeaseWeb IP address, after the leaseweb.com DNS was changed at the registrar.

This DNS hijack was quickly detected and rectified by LeaseWeb’s security department. Although it seems to have had only superficial effects, we seriously regret this event from happening. Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed. No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack.

DNS hijack, overview of services affected

The unauthorized name server change for leaseweb.com took place at our registrar on Saturday 5 October, around 19:00 hours CET / 1 PM EST. While the hijack was soon detected and mitigated, it took some time before our adjustments in the DNS cache were propagated across the internet. During this period the following systems and services were affected:

  • Some visitors of http://www.leaseweb.com were redirected to a non-LeaseWeb IP address
  • E-mails sent to @leaseweb.com addresses during the DNS hijack were not received by LeaseWeb
  • Domain name registration and server reinstallation via our Customer Portal was disabled

Preventing future incidents

Details of how exactly the hijack could have happened are not yet 100% clear at the moment of writing. Some media mentioned that a vulnerability in WHMCS-software might have been the culprit, but this cannot be the case. LeaseWeb uses its own in-house developed software for its customer panel, which does not seem to have been part of the security issue. Right now, it appears that the hijackers obtained the domain administrator password and used that information to access the registrar. We will continue to investigate this incident thoroughly and take decisive action accordingly.

At LeaseWeb we take security and cybercrime prevention very seriously. By partnering with various third parties through our Community Outreach Project, we are often able to stop cybercrime in its tracks. In addition, our security teams continuously research, implement and upgrade a broad variety of security systems and protocols to prevent any attacks from doing harm. These measures go beyond technical solutions. For example, as part of our continued ISO27001 security certification maintenance, all our staff receives regular security awareness trainings.

We sincerely apologize for any inconvenience this unfortunate event might have caused. Security will always be a battle between good and evil, with one trying to outsmart the other in whatever way possible. We will learn from this incident, intensively review our security systems and protocols, and adjust where necessary.

If you have concerns, our customer service is available to answer any questions you might have.

Leave a Reply