‘Sophisticated’ Threat Actor Stole GoDaddy Code
Threat actors lingered in GoDaddy’s systems, installing malware and stealing source code in a security incident that lasted years.
After receiving complaints from a few customers in December that their websites were being “intermittently redirected,” the web hosting service said it “found that the intermittent redirects were happening on seemingly random websites hosted on our cPanel shared hosting servers and were not easily reproducible by GoDaddy, even on the same website.”
During a probe of the complaints, GoDaddy “discovered that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites,” the company said in a release. “Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.”
So far, the investigation has confirmed that the incident was perpetrated by a “sophisticated and organized group” that targets hosting services. “Their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities,” said GoDaddy, which is “actively collecting evidence and information regarding their tactics and techniques to help law enforcement.”
The incident spun out over multiple years. “Beyond all the buzzwords in the breach notification, at the core, the attackers didn’t ‘hack’ their way into GoDaddy, but rather used known compromised credentials to log in and leave vectors for reentry,” said Brad Hong, customer success lead at Horizon3ai. “This supposed multi-year advanced persistent threat actor group remained undetected for so long following remediation and mitigation measures from GoDaddy’s numerous past data breach incidents. Was it that this APT group was that skilled or that GoDaddy’s security is that bad?”
The company referred to its findings thus far in a 10-K filed earlier on Friday, February 17, 2023, with the Securities and Exchange Commission, noting that there has not been any significant fallout from this incident and others. “To date, these incidents as well as other cyberthreats and attacks have not resulted in any material adverse impact to our business or operations, but such threats are constantly evolving, increasing the difficulty of detecting and successfully defending against them,” GoDaddy said in the filing.
But the company did say a history of past security incidents might provoke greater risk if a new incident were to occur. “If the security of the confidential information, personal information or payment card information we or our vendors or partners maintain, including that of our customers and the visitors to our customers’ websites stored in our systems, is breached or otherwise subjected to unauthorized access, our reputation may be harmed and we may be exposed to liability,” the filing noted.
The company explained that its business involves storing and transmitting confidential information and that almost all of its products are cloud-based with customer data stored on vendor and partner servers. GoDaddy added it “cannot guarantee that inadvertent or unauthorized use or disclosure of such information will not occur or that third parties, including nation-states and bad actors, or our personnel, or those of our vendors will not gain unauthorized or other malicious access to this information or systems where personal information is processed despite our preventative efforts or those of our vendors or partners.”
A breach anywhere along the way could subject the web hosting service “to liability, loss of business, litigation, government investigations or other losses.” Risk and liability increase as the company pairs with vendors and other third parties. “We also anticipate being required to expend significant resources to maintain and improve our oversight of vendors and other third parties with whom we share data or otherwise process data on our behalf,” the filing said. “In addition, our customers and partners have in the past and may in the future request we produce evidence of our data security program as part of their own compliance programs. Responding to such requests may be costly and time consuming.”
Managing supply chains “has gotten immensely more complex as any company providing any service to any internet user, especially with the increasing use of infrastructure-as-a-service, is now a part of this often omitted evaluation,” said Hong. “This includes web hosts like GoDaddy and WordPress and picking vendors based on their security efforts, usually out of expertise for the layman.”
More recently, such incidents have ramped up the call for federal legislation. It “comes from a place of frustration from the consumer level, as virtually no persons are now untouched by data breaches and the pressure continues to build in an already whistling kettle of company apologies,” said Hong. And the frequency of incidents will only increase as companies go unpunished when the data that they collect, digest, store and sell gets compromised.
Hong chastised GoDaddy for putting the burden on the consumer. “As is standard, GoDaddy pushed the onus for action right back to its consumers, advising them to audit their own websites and trust GoDaddy’s security team after trust was broken, all while offering them free ‘Website Security Deluxe and Express Malware Removal’ services instead of fortifying their own kingdom time and time again,” he said. “Maybe they should’ve used it themselves?”
Because organizations should serve “as a protector of data when a person does business with them and, as such, should continuously be validating their security controls and tools through testing, from every perspective and blast radius,” Hong said they should “ensure blue teams are not at max capacity just playing whack-a-mole but making valiant strides to future-proof the security stack.”
