After web hosting firm GoDaddy revealed a multi-year breach resulting in stolen source code and malware that triggered some customers’ websites to redirect visitors to malicious URLs, questions are being raised about the lasting impact of the breach and the slow rollout of details to customers.
Specific revelations of the attack were made public on Thursday via a GoDaddy 10-K filing with the U.S. Security and Exchange Commission (SEC). The SEC filings were in response to Federal Trade Commission subpoenas tied to the incidents, first made public May 2020. At the time, GoDaddy did not detail the extent of the breach.
The GoDaddy disclosure last week also did not include technical details for the breaches or indictors of compromise that could be used by customers to fend off attacks or determine if they were impacted.
A post-breach analysis of the incident by GoDaddy indicated three significant attacks by one intruder.
GoDaddy breach rewind
One in December 2022, GoDaddy reported for the first time a sophisticated threat actor gained access to its cPanel hosting servers, then installed malware that “intermittently redirected random customer websites to malicious sites.”
On Feb. 16, GoDaddy issued a separate statement stating: “Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.”
Last week's disclosure of three separate attacks was the first time the company revealed the December 2022 breach and also the first time it linked the three attacks together.
In November 2021, the company reported the same attacker compromised its GoDaddy Managed WordPress service, a customized content management system made available to its customers. The intruder obtained source code tied to the WordPress system that allowed a further intrusion of the platform that included admin credentials for the service, access to FTP accounts and email addresses for 1.2 million current and inactive customers.
Finally, GoDaddy said on March 2020 the attacker compromised 28,000 log-in credentials belonging to customers along with credentials tied to a “small number” of employee accounts.
Reason for concern?
Security researchers said the timeline of this breach has them concerned. Dwell times dating back several years tend to indicate poor overall security, a lack of threat hunting, and other systemic issues.
Hosting companies like GoDaddy have an unusual position on the internet that makes them a very attractive target for attackers, say security researchers. On the surface, they have an aggregation effect – hosting a lot of web infrastructure – so hack one target, receive many payoffs. It’s very useful for large-scale campaigns in which attackers need infrastructure to host and deliver malicious payloads.
Zane Bond, head of product at Keeper Security, theorized that if an advanced threat actor was lurking in GoDaddy’s system for multiple years and had been relatively quiet during that time, there’s no good reason for that attacker to suddenly begin redirecting low-value websites. Instead, Bond said this may be a case of multiple attackers breaching the company’s network simultaneously.
GoDaddy maintains, in its filings and public statements, that the attacks were carried out by one intruder. It’s unclear if the attacker was one individual or one group.
“A junior attacker could have been the one to begin redirecting these websites, which shined a light on other threat actors that were already inside,” said Bond.
Andrew Barratt, vice president at Coalfire, said while the source code intrusion is of great interest to attackers, the real gold mine is more likely GoDaddy’s domain hosting: the database of domain names to IP addresses and all the associated metadata.
Barratt said if attackers were eventually able to compromise DNS servers, it’s possible to change the direction of traffic, pointing legitimate entries to malicious sites – without the underlying sites necessarily realizing immediately, as they’re not subject to compromise.
In the case of the redirects reported by GoDaddy, the intruder planted malware on the website to conduct the redirects to malicious URLs.
Why so long to report?
Security pros grimace at GoDaddy’s delay in releasing details of the breach that would have been valuable to customers and IT security teams. While customers were notified in May 2020 of an attack, a dearth of specifics related to the incidents and a list of indicators of compromised would of served customers better, security professionals argue.
According to the Identity Theft Resource Center those companies’ that do report breaches are increasingly revealing less. A recent study found just 34% of public breach notices in the U.S. over the past year contained basic details around attack methods or victims the fewest number tracked, the lowest number tracked over the past five years and a 50% drop since 2019.
The reluctance by companies to report breaches and details tied to attacks has real world consequences for unaware victims, according to the report. Less information puts impacted customers and businesses at higher risk for identity theft, fraud and spearphishing attacks that rely on stolen data.
Brett Callow, a ransomware researcher at Emsisoft, told SC Media that this lack of visibility has been particularly noticeable around ransomware, where it’s widely understood that many companies and even governments decide to quietly pay or avoid reporting to a breach to the public. “Information is power and in cybersecurity, it’s the path to prevent other, similar incidents. The more we know the more effective our counterstrategies can be,” said Callow.
(SC Media reporter DEREK B. JOHNSON contributed to this report)