GoDaddy: Hackers stole source code, installed malware in multi-year breach

[David H. Lipman]

GoDaddy: Hackers stole source code, installed malware in multi-year breach

Quote

Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack.

While GoDaddy discovered the security breach following customer reports in early December 2022 that their sites were being used to redirect to random domains, the attackers had access to the company's network for multiple years.

"Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy," the hosting firm said in an SEC filing.

The company says that previous breaches disclosed in November 2021 and March 2020 are also linked to this multi-year campaign.

The November 2021 incident led to a data breach affecting 1.2 million Managed WordPress customers after attackers breached GoDaddy's WordPress hosting environment using a compromised password.

They gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.

After the March 2020 breach, GoDaddy alerted 28,000 customers that an attacker used their web hosting account credentials in October 2019 to connect to their hosting account via SSH.

GoDaddy is now working with external cybersecurity forensics experts and law enforcement agencies worldwide as part of an ongoing investigation into the root cause of the breach.

Links to attacks targeting other hosting companies

GoDaddy says it also found additional evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years.

"We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy," the hosting company said in a statement.

"According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities."

GoDaddy is one of the largest domain registrars, and it also provides hosting services to over 20 million customers worldwide.

A GoDaddy spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today

Update February 17, 12:59 EST: Added more info on breaches linked to the multi-year campaign targeting GoDaddy and other hosting firms.

 

[brad03]

Yikes so much of this going on lately and I’m sure it will get worse unfortunately. 

[David H. Lipman]

Yes.  The Threat Landscape is becoming more of a rocky and dangerous road.

[NewTricks]

I've been thinking about this all week as I've read your posts starting with GoodRX, Pepsi, Moneygram, etc. 

Other than using known sites, keeping digital behavior cautious/clean, using unique passwords, taking preventative measures, installing & using blockers & detectors, staying informed, what can we do? 

What's a realistic attitude here without pessimism?

[David H. Lipman]

Research the organization before you choose to do business with them.

• What is their history?
• Are there any notable events?
• How well do they handle Cyber Abuse?
• Have Situational Awareness of associated events.

There are just some companies you just can't predict or prevent so you need to understand that there are "possibilities" so you want to limit your exposure.

You can be a relatively safe driver and pay attention to the road, traffic signals and signage but out of the blue some other vehicle's driver may not be paying attention and your car gets hit.  Be prepared, not paranoid, just conscious.

[NewTricks]

Good advice, thanks Dave.  Becoming an aware consumer, in those cases where there's a choice. I noticed T-Mobile has issues, but I'm tied to them by their disability services. 

The length of time it takes companies to detect, then remediate IMO should not be years. I suppose that's a good indicator of their overall tech competence, maybe business leadership & model. 

Limiting exposure. I like that thought & also the driving analogy. 

[David H. Lipman]

T-Mobile has an abysmal record.  They don't learn from their past lessons and have become a liability. 

One has to do a Cost Benefit Analysis and weigh the Benefits vs. the Detriments and see if they balance each other or if one has a preponderance over the other.  That is, after all, a totally personal examination and reflection.

 

 

[NewTricks]

Agree completely. Business fails those who are "differently abled" and some have a monopoly on specialized niche services. 

Edited February 18, 2023 by NewTricks
Clarity

[David H. Lipman]

12 minutes ago, NewTricks said:

... some have a monopoly on specialized niche services. 

That sucks !  

[digmorcrusher]

There are steps you can take to try to keep your information secure on your computers, there is nothing you can do when any information you have is in the hands of others. Think IRS, banks, shopping sites, hotels, airlines, the list is endless. Be aware that virtually all of these will be hacked eventually and that almsot everyones info will be "out there" for sale. The only defense we have is that with hundreds of millions peoples info exposed that the chance of yours be abused is slim.

[NewTricks]

8 hours ago, digmorcrusher said:

The only defense we have is that with hundreds of millions peoples info exposed that the chance of yours be abused is slim.

Thanks @digmorcrusher for a glimmer of hope.