GoDaddy, a major web hosting provider, reported that an unknown hacker had infiltrated their cPanel shared hosting environment, stealing source code and installing malware on the servers.
The incident was discovered in early December 2022 when customers began to report that their sites were being redirected to random domains. It is believed that the attacker had access to GoDaddy's network for a few years before detection.
In the Securities And Exchange Commission's filing, it states "In December 2022, an unauthorized third party gained access to and installed malware on our cPanel hosting servers. The malware intermittently redirected random customer websites to malicious sites. We continue to investigate the root cause of the incident. Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy. To date, these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business or operations, but such threats are constantly evolving, increasing the difficulty of detecting and successfully defending against them. In case of a future incident, a history of past incidents, such as those mentioned herein, may increase the risk of higher sanctions, or that investigations into past incidents may be re-invigorated."
The company has stated that the multi-year campaign is connected to breaches which were revealed in November 2021 and March 2020.
In November 2021, a data breach occurred that affected 1.2 million Managed WordPress customers. It was discovered that the attackers had breached GoDaddy's WordPress hosting environment by using a compromised password.
As a result, they gained access to the email addresses of all impacted customers as well as their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of some active clients.
Additionally, GoDaddy alerted 28,000 customers in March 2020 that someone had used their web hosting account credentials in October 2019 to connect to their hosting account via SSH.
GoDaddy is currently collaborating with external cybersecurity forensics professionals and law enforcement organizations from all over the world in order to conduct an investigation into the source of the breach.
GoDaddy has discovered further proof connecting the malicious actors to a larger effort targeting other web hosting services around the world during a prolonged period.
In a statement released on February 16, 2023, Godaddy stated "We are working with multiple law enforcement agencies around the world, in addition to forensics experts, to further investigate the issue. We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities."
As we continue to monitor their behavior and block attempts from this criminal organization, we are actively collecting evidence and information regarding their tactics and techniques to help law enforcement. We shared this information in our 10-K that was filed earlier today."
We apologize for any inconvenience this may have caused to any of our customers or visitors to their websites. We are using lessons from this incident to enhance the security of our systems and further protect our customers and their data.
Join the discussion
0 Comment(s)