GoDaddy started as a simple domain registrar that made a splash with slick marketing and women in limited clothing. They tried to make buying domains sexy. Holding your domains or selling security certificates is a pretty benign process. As they began offering web design and hosting and email services things got a big trickier.
What we always suspected as a community came out as truth a couple of weeks ago. GoDaddy’s network and the organization had suffered a multi-year security compromise that allowed attackers to steal the company’s source code and customer and employee login credentials. They also installed malware that redirected customer websites to malicious sites. Currently, the hackers are still unidentified.
In a recent filing with the U.S. Securities and Exchange Commission (SEC), GoDaddy admitted that three serious security events took place from 2020 through 2022. All three were perpetrated by one attacker. GoDaddy wrote, “Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.”
GoDaddy indicates the investigation is on-going.
The most recent event occurred in December 2022 when the threat actor gained access to the customer hosting servers. This is the computers that store their customer’s web site code. The attackers installed malware on the servers that “intermittently redirected random customer websites to malicious sites.” GoDaddy only learned about this issue via customer complains that their sites were occasionally being redirected elsewhere.
GoDaddy continued in the SEC filing, “We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.”
The phrase, “targeting hosting services like GoDaddy” begs the questions – what other companies have been affected? We have not seen any other hosting provider come forward with similar revelations.
Another incident took place in September 2021. An attacker obtained a password that gave them access to source code for GoDaddy’s Managed WordPress service. WordPress is a software package or content management system that runs millions of web sites across the globe. They used these stolen credentials to access the WordPress admin accounts of 1.2 million customers. GoDaddy did not discover the breach for two months.
This is just the tip of iceberg when it comes to problems with GoDaddy’s infrastructure. In 2019, a misconfigured server allowed hackers to hijack dozens of websites owned by Expedia, Yelp, and others. The attacker used the vulnerability to publish a ransom note threatening to blow up buildings and schools. The vulnerability had been known for three years before GoDaddy took any action to mitigate the risk.
Also in 2019, a researcher uncovered a campaign that used hundreds of sets of credentials stolen from GoDaddy to create 15,000 web sites to promote bogus weight loss programs.
This all seems too similar to the LastPass breach that we saw unfold before our eyes last year. LastPass and GoDaddy were both aware of an intrusion and they did not fully clean it up. Many times, when we detect an intrusion we take what seems to be to some clients extreme measures to clean up the breach. This is why. Once a threat actors learns you have an open door, they will use it over and over. A full post-intrusion clean-up means that data obtained is useless.
When a breach is detected, systems must be wiped and rebuilt from scratch. All, not just the affected users, must change their passwords and access credentials.
The saying among IT professionals was that friends don’t let friends use GoDaddy. The statement now seems prophetic.
