Posted on March 5, 2023 at 7:24 AM
Hackers conducted a multiyear campaign against web hosting provider GoDaddy
Threat actors might have gained access to GoDaddy for three years, and they are believed to have wreaked havoc at the company since around March 2020. The hackers might have come back again to the platform or they might have never left despite the efforts made by the company to expel them.
Hackers might have stayed in GoDaddy network for three years
GoDaddy has issued a statement admitting that hackers might have continued spying on the network for three years. According to the company, the hackers inside the company’s systems installed malware on the network and stole a section of the code.
The company said that it first detected the activity of these hackers in December last year. At the time, the company said that a section of its customers reported that the websites were redirected to other domains in a mysterious manner.
According to GoDaddy, it was investigating this security threat and working with law enforcement authorities who informed the company that the objective of these hackers was to infect these servers and websites with malware. The malware was used in phishing campaigns to distribute malware and conduct other malicious activities.
GoDaddy made a filing to the US Securities and Exchange Commission (SEC) saying that it believes that the threat actors that were identified in the recent exploit were the same ones that were identified within the company’s networks in March 2020. These threat actors stole the login credentials of 28,000 customers and even gained access codes to some of GoDaddy’s employees. At the time, the hosting provider said that the hackers had used web hosting account credentials in October 2019 to link to their hosting account using SSH.
In November 2021, these threat actors caused significant havoc within the GoDaddy ecosystem. At the time, the threat actors accessed a stolen password that was used to compromise the WordPress accounts of 1.2 million customers.
In the 2021 breach, the hackers were able to access user email addresses, usernames, passwords, and in some cases, they accessed the SSL private keys of websites. The filing noted that the investigation conducted by the company indicated that the hackers might have exploited the network for several years.
“Based on our investigation, we believe these incidents are part of a multiyear campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the SEC filing said.
The company also issued a statement to its customers apologizing for the inconvenience that might have been caused by this breach to the customers and those visiting their websites.
The company hinted at taking additional security measures to ensure that similar incidences do not happen in the future. “We are using lessons from this incident to enhance the security of our systems and further protect our customers and their data,” the company added.
However, customers are yet to be reassured by the company’s commitment to ensure that a similar breach does not happen in the future. The company would reassure more users if this were not the third time that its security systems were facing a similar breach. Moreover, GoDaddy had confessed to being targeted by the same threat actor group in the past.
Hackers might be targeting other hosting companies
While this exploit could be stemming from the threat actors that infiltrated GoDaddy systems three years ago, the company believes that the actions of the hackers indicate that the breached could be part of a broader hacking campaign targeting hosting companies.
According to GoDaddy, the company might have found additional evidence indicating that these threat actors were part of a broader hacking campaign that targeted other hosting companies globally in the recent years. Going by this analysis, other web hosting companies might have also been targeted, putting their customers at risk.
The company issued a statement on the matter saying that it had found evidence of similar hacking campaigns on other hosting companies, adding that this activity was confirmed by law enforcement authorities. It further said that the goal behind the breach was to install malware on websites and servers to conduct phishing campaigns and other malicious activities.
GoDaddy is one of the largest web hosting companies globally. The platform is used by more than 20 million customers who rely on it for hosting services. Therefore, the extent of this breach could be severe because of the vast user base.