GoDaddy's compromise.
N2K logoFeb 21, 2023

Threat actor apparently had access to GoDaddy’s network for years.

GoDaddy's compromise.

GoDaddy has disclosed that it discovered a breach in December 2022 that resulted in a threat actor redirecting customer websites to malicious domains, BleepingComputer reports.

Threat actor targets hosting services.

GoDaddy says the threat actor was able to install malware in the company’s cPanel shared hosting environment:

“In early December 2022, we started receiving a small number of customer complaints about their websites being intermittently redirected. Upon receiving these complaints, we investigated and found that the intermittent redirects were happening on seemingly random websites hosted on our cPanel shared hosting servers and were not easily reproducible by GoDaddy, even on the same website.

“As our investigation continued, we discovered that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites. Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.

“We are working with multiple law enforcement agencies around the world, in addition to forensics experts, to further investigate the issue. We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

GoDaddy also stated in an SEC filing that it believes the same threat actor was responsible for security incidents the company disclosed in 2020 and 2021:

“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.”

Industry comment.

Brad Hong, Customer Success Lead at Horizon3ai, offered the following observations:

“Beyond all the buzzwords in the breach notification, at the core, the attackers didn’t ‘hack’ their way into GoDaddy, but rather used known compromised credentials to log in and leave vectors for reentry.

“Supply chain management has gotten immensely more complex as any company providing any service to any internet user, especially with the increasing use of infrastructures-as-a-service, is now a part of this often omitted evaluation. This includes web hosts like GoDaddy and Wordpress and picking vendors based on their security efforts, usually out of expertise for the layman.

“This supposed multi-year advanced persistent threat actor group remained undetected for so long following remediation and mitigation measures from GoDaddy’s numerous past data breach incidents. Was it that this APT Group was that skilled or that GoDaddy’s security is that bad?

“The call for Federal-level legislation comes from a place of frustration from the consumer-level as virtually no persons are now untouched by data breaches and the pressure continues to build in an already whistling kettle of company apologies.

“Companies collect, digest, and even sell our data as data custodians, right up until they lose it and with little incentive or punishment for improvement, or lack thereof, consumers are going to continue to see more incidents like this and the impact will only get worse.

“As standard, GoDaddy pushed the onus for action right back to its consumers, advising them to audit their own websites and trust GoDaddy’s security team after trust was broken, all while offering them free “Website Security Deluxe and Express Malware Removal” services instead of fortifying their own kingdom time and time again. Maybe they should’ve used it themselves?

“Every organization takes on the responsibility of serving as a protector of data when a person does business with them and as such should continuously be validating their security controls and tools through testing, from every perspective and blast radius, and ensure blue teams are not at max capacity just playing whack-a-mole but making valiant strides to future-proof the security stack.”

(Added, 4:45 PM ET, February 22nd, 2023. We also heard from Kevin Kirkwood, Deputy CISO at LogRhythm, who offers some inferences from the disclosures concerning the incident:

"It is apparent that GoDaddy did not do a deeper drive through their environments after the first breach, or even the second incident (where 1.2M Wordpress accounts were compromised). After the third incident, where webpages were actually redirected, GoDaddy finally reached the realization that they had bigger problems.

"In the initial incident, the attacker gave themselves back doors to the environment that they had access to, were able to traverse to other environments, sprayed additional malware, and even got to the point where they were able to access and insert malicious code into the source code of the core applications of GoDaddy.

"The journey is ending where they should have started—the company should have done their due diligence by doing a full forensic analysis after the first incident. When a company experiences a cyber incident, some basic blocking and tackling can be put in place to help discover illicit activity. A SIEM is a starting point for ensuring that folks have the ability to collect, analyze and build alerts off of the logs from their existing environments. Taking that to the next level, everyone should have a version of User Entity Behavior Analysis (UEBA) and a Network Detection and Response (NDR) tool. Tying the information from logs, the data coming in about users and devices from the UEBA and corresponding data from the NDR sets the stage for avoidance.")