GoDaddy Hosting Hacked — for FOURTH Time in 4 Years
GoDaddy’s web hosting service breached yet again. This time, the perps were redirecting legit websites to malware.
GoDaddy’s not telling us much, but it says this is the same gang that hacked GoDaddy three previous times. Squint at what we know so far, and it sounds like GoDaddy never actually eliminated the scrotes’ foothold.
Hey, GoDaddy: It’s bad enough you keep reporting hacks—but if it’s the same hack you failed to clean up three previous times? Inexcusable. In today’s SB Blogwatch, we note the trouble started around the time CEO Aman Bhutani (pictured) moved from Expedia to GoDaddy. Just sayin’.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: AI Presidents debate Halo.
4th Time’s a Charm
What’s the craic? Sergiu Gatlan reports—“GoDaddy: Hackers stole source code, installed malware in multi-year breach”:
“Over the years”
GoDaddy discovered the security breach following customer reports in early December 2022 that their sites were being used to redirect to random domains. [But] the attackers had access to the company’s network for multiple years.
…
Previous breaches disclosed in November 2021 and March 2020 are also linked to this multi-year campaign. … The November 2021 incident led to a data breach affecting 1.2 million Managed WordPress customers after attackers … gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and [some] SSL private keys. … After the March 2020 breach, GoDaddy alerted 28,000 customers that an attacker used their web hosting account credentials in October 2019 to connect to their hosting account via SSH.
…
It also found additional evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years … the hosting company said.
And Dan Goodin adds—“Three breaches over as many years all carried out by the same threat actor”:
“A series of suspicious events”
A multi-year security compromise that allowed unknown attackers to steal company source code, customer and employee login credentials, and [gain] access to the cPanel hosting servers customers use to manage websites hosted by GoDaddy. The threat actor then installed malware … that redirected customer websites to malicious sites.
…
Over the years, security lapses and vulnerabilities have led to a series of suspicious events involving massive numbers of sites hosted by GoDaddy. In 2019, for instance … GoDaddy allowed hackers to hijack dozens of websites owned by Expedia, Yelp, Mozilla, and others. … The DNS vulnerability exploited by the hackers had come to light three years earlier. Also in 2019, a researcher uncovered a campaign that used hundreds of compromised GoDaddy customer accounts to create 15,000 websites that published spam.
Horse’s mouth? CMO Fara Howard and her anonymous PR team draw a drawer statement—“Recent website redirect issues”:
“We apologize for any inconvenience this may have caused”
We discovered that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites. … We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy … for phishing campaigns, malware distribution and other malicious activities.
…
We apologize for any inconvenience this may have caused to any of our customers or visitors to their websites. We are using lessons from this incident to enhance the security of our systems.
But that apology doesn’t reassure Andrew Couts and Andy Greenberg much:
That apology … would be more reassuring if it weren’t the [fourth] time GoDaddy confessed to being breached by the same hacker group in as many years. … Discovering that hackers have had stealthy access to your corporate network for [four] years is bad enough. [But] a group of hackers it had repeatedly spotted inside its network had returned—or never left—and have been wreaking havoc in its network since at least [2019], despite all the company’s attempts to expel them.
ELI5? Paul Ducklin explains the latest hack like you’re five—“Redirect control considered harmful”:
“The subterfuge can be hard to spot”
As you can imagine, having insider access to a company’s web redirection settings effectively means that you can hack their web servers without modifying the contents of those servers directly. Instead, you can sneakily redirect those server requests to content you’ve set up elsewhere.
…
Anyone checking their access and upload logs for evidence of unauthorised logins or unexpected changes to the … files that make up the official content of their site will see nothing untoward, because their own data won’t actually have been touched. Worse still, if attackers trigger malicious redirects only every now and then, the subterfuge can be hard to spot—that seems to have been what happened to GoDaddy.
Are we surprised? skogs isn’t:
I don’t think anybody is surprised by this. Nor is anybody surprised by how long (multiple years) it took them to finally figure it out.
cPanel, GoDaddy, and WordPress: Is there another 3 organizations out there that work together which combined have less respect?
How should GoDaddy fix their infrastructure? Nuke it from orbit, thinks dcdp—it’s the only way to be sure:
If an attacker has multi-year access to your internal network, it pretty much says you have to start again from scratch with a new setup that is completely divorced from the old one. I just can’t see you being able to be sure you have them completely out otherwise. However, given GoDaddy didn’t get them out over the previous 3 years, it casts doubt on whether they could keep them out of the new setup.
Or just shut down the company? Never gonna happen, thinks u/secret_configuration:
If Equifax still exists, then so will GoDaddy. But both companies should be shut down after such blatant disregard for security.
But how could this have happened? Jerry Rivers alleges an allegation:
I tried GoDaddy once—and only once. Literally minutes after I registered a domain I was phished by what appeared to be a Russian operation, which seemed to already know way too much about me. I tried to report it to GD support, but its support site was unavailable and nobody would answer the phone. I immediately cancelled my GD account.
…
I’m not at all shocked that this is only being reported now. It seems pretty obvious that there was an insider.
Unsurprisingly, Cactist isn’t surprised, either:
Not surprised. … GoDaddy has been a consistent dumpster fire over the years.
Meanwhile, Lil Endian’s grandfather cut off one of his own fingers while breaking an egg: [You’re fired—Ed.]
Bad Daddy, bad! You may Go now.
And Finally:
AI Trump is correct: Halo 3 is peak Halo
NSFW: Occasional swears
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: GoDaddy
