Hackers successfully hit GoDaddy’s cPanel hosting servers with malware that “intermittently redirected random customer websites to malicious sites” the domain hosting firm has admitted – the latest in a string of breaches at the company, which recently touted plans to slash opex and staff in 2023 for cost savings of $100 million.
In March 2020 a threat actor stole the login credentials of 28,000 GoDaddy customers. Then In November 2021 “using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress (MWP), which impacted up to 1.2 million... customers across multiple GoDaddy brands” GoDaddy admitted – hinting in a February 16 filing that the attacks were by the same threat group.
GoDaddy hack: "Sophisticated" hackers nabbed a password
(“As an operator of a large Internet infrastructure, the company is frequently targeted and experiences a high rate of attacks. These include the most sophisticated forms of attacks, such as advanced persistent threat attacks and zero-hour threats” GoDaddy said in its SEC filing – the company has some 21 million customers globally. Why did it not have MFA set up at bare minimum, critics will be wondering; a compromised password alone should not be enough to breach a company with revenues of over $1 billion a year in this day and age.)
The December 2022 GoDaddy hack was part of a “a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy” the company claimed in an SEC filing on February 16, without sharing evidence.
“Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections” it said blandly on its website, adding “we are working with multiple law enforcement agencies around the world, in addition to forensics experts, to further investigate the issue. We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services… their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”
In March 2020 a threat actor stole the login credentials of 28,000 GoDaddy customers. Then In November 2021 “using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress (MWP), which impacted up to 1.2 million... customers across multiple GoDaddy brands” GoDaddy admitted – hinting in its filing that the attacks were by the same threat group.
Strikingly the company said that “ To date, these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business or operations” – that may be about to change.
GoDaddy hacked: No insight on threat vector yet
As Muhammad Yahya Patel, Security Engineer at Check Point Software noted: “It’s evident that organisations are still struggling to implement sufficient cyber hygiene protocols to prevent cyberattacks. This may impact how comfortable their customers feel interacting with the company, especially as the repercussions are likely to be ongoing and that should be a lesson to other organisations. It only takes one breach to unpick years of built up trust and this can have a real impact on a business’s reputation in the long term. However, there are ways to minimise the threat posed by these risks. To keep themselves protected, businesses need to implement segmentation and encryption with key rotation to adequately defend against cyber threats. Alongside this, we simply cannot forget the importance of multi-factor authentication, a protocol that should be in place everywhere but many organisations continue to overlook. Service providers should be mandating this as using the right combination of techniques will make it harder for threat actors to disrupt operations.”
Nick France, CTO of SSL at Sectigo meanwhile noted that “compromise of any hosting or DNS infrastructure can involve or lead to compromise of the private keys for the digital certificates for those websites.
“It's important that remediation to these compromises is actioned quickly - in the case of certificates, they may need to be revoked in a short space of time” he added: “If the hosting infrastructure is indeed compromised, it's almost certain that the keys to the certificates have been compromised also. As this can have a significant impact on a business, it's important that these certificates are properly managed such that they can be not only known to the enterprise, but that they can be reissued and reinstalled very rapidly when these security breaches happen. Being able to maintain agility with your certificates, regardless of where they are or who issued them - will minimise the impact on a business during these types of events" he added in an emailed comment.