A series of breaches of domain name and web hosting company GoDaddy that dates back to 2020 has been tied together as the work of one persistent attacker that seems to specialize in hitting web hosting outfits. The company says that the group of hackers was able to access its network using stolen credentials, and planted malware and stole source code to give itself points of long-term access.
A late 2021 breach that was previously disclosed was thought to be limited to the company’s WordPress managed hosting customers, but another investigation was opened in late 2022 after other customers of the web hosting company began complaining that their sites were redirecting to other domains.
Hackers that specialize in web hosting company exploits lurked in GoDaddy systems for years
The hackers reportedly compromised the cPanel interface used by customers of the web hosting company’s shared environment, the majority of those that host websites with GoDaddy. The company is known primarily as a domain name provider, but also offers optional web hosting packages of various types. The company does not offer public breakdowns of its customer types, but its marketing materials indicate it has over 21 million in total.
GoDaddy said that “a sophisticated and organized group” had installed malware in the cPanel shared hosting environment, causing “intermittent” compromise of hosted websites in early December 2022. The websites were redirecting to other URLs apparently owned by the attackers.
The web hosting company did not provide any indication of how the breach took place, but the incident in November 2021 was caused by re-use of stolen credentials from some other source. The current incident may have been a follow-on from that, or a new compromise using the same method. GoDaddy says that only a “small amount” of its customers experienced the URL redirects in December; hackers can sometimes move laterally to other websites on a shared server of this type once one has been compromised, so the entry point could have once again been a case of credentials leaked in a prior data breach being re-used.
It would be helpful to know exactly how the criminals compromised the system and what malware they used, as many other web hosting companies use cPanel as well. GoDaddy did not provide any information about the identity of the suspects other than saying that the group targets web hosts and that it took some unspecified quantities of source code over the course of the attack.
Brad Hong, Customer Success Lead at Horizon3.ai, notes that GoDaddy will need to do much more to reassure customers given its security track record and the fact that the attackers apparently were able to lurk in its systems for two years (and pull off multiple incursions into customer websites, as well as stealing source code) before being detected: “This supposed multi-year advanced persistent threat actor group remained undetected for so long following remediation and mitigation measures from GoDaddy’s numerous past data breach incidents. Was it that this APT Group was that skilled or that GoDaddy’s security is that bad? The call for Federal-level legislation comes from a place of frustration from the consumer-level as virtually no persons are now untouched by data breaches and the pressure continues to build in an already whistling kettle of company apologies.”
“As standard, GoDaddy pushed the onus for action right back to its consumers, advising them to audit their own websites and trust GoDaddy’s security team after trust was broken, all while offering them free ‘Website Security Deluxe and Express Malware Removal’ services instead of fortifying their own kingdom time and time again. Maybe they should’ve used it themselves?” noted Hong.
Breach involving malware, source code dates back to 2019
The only other major insight provided by the web hosting company is that the prior incidents in 2019 and 2021 were perpetrated by the same group, and that it has had some sort of ongoing access during this time to include grabbing source code as well as accessing customer accounts.
In March 2020, the web hosting company disclosed that 28,000 customers had their credentials compromised in October 2019 and that attackers had connected to their hosting accounts via SSH. The November 2021 incident involved compromise of over 1.2 million WordPress managed hosting customers, a service that exists in a different hosting environment from the company’s other products. Rather than malware, that breach involved the compromise of an employee’s login credentials and exposed email addresses, WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of current clients.
GoDaddy experienced some other security incidents in 2018 and 2019, but it is not yet clear if those were connected to the current group of attackers, the planting of malware or the theft of internal source code. In late 2018, hackers hit upon a misconfigured database and made use of it to take over domains owned by major companies (such as Expedia and Yelp) and post bomb threat hoaxes and scam attempts. And in early 2019, hackers took over about 15,000 of the web hosting company’s domain names and used them to link to scam pages promoting bogus subscriptions to a variety of products such as weight loss supplements and CBD oil. That attack was though to have stemmed from a massive phishing campaign that compromised hundreds of GoDaddy customers.
An early 2019 study by an independent security researcher found that a number of the other big name web hosting companies were vulnerable to common attacks. While GoDaddy might finally use this incident to improve security (after discovering the full extent of it), the fact that source code was stolen will leave natural doubts lingering about what future vulnerabilities might be found and exploited.
