After GoDaddy announced a significant breach last week, where hackers may have had access to the company's network for years, the infosec industry has voiced concerns.
GoDaddy said last week that it detected the breach in December as a result of customer complaints in a statement to its website and a 10-K Securities and Exchange Commission (SEC) filing. After breaching GoDaddy's corporate network, unidentified threat actors planted malware on its cPanel hosting servers, which occasionally redirected users' webpages to fraudulent websites, according to an ongoing investigation with law authorities.
According to the company's statement, "we have proof, and law enforcement has confirmed, that this incident was carried out by a sophisticated and coordinated gang targeting hosting businesses like GoDaddy."
With more than 21 million clients, GoDaddy is one of the biggest domain registrars and hosting companies. The main goal of hackers is to infect websites and servers with malware for phishing campaigns, malware distribution, and other harmful operations.
GoDaddy stated in its 10-K filing that the breach is related to security incidents that date back to March 2020, when hackers stole more than 20,000 login credentials, and November 2021, when an attacker breached its Managed WordPress hosting service and stole SSL keys, potentially affecting up to 1.2 million customers.
"Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy," GoDaddy stated in the SEC filing.
Despite the two exposures, GoDaddy has not provided its clients with any technical information or indications of compromise (IOCs) to help them protect against the ongoing threat. The corporation also delayed disclosing the breach for more than two months.
In a blog post published earlier this week, Sophos' lead research scientist Paul Ducklin criticised the attack's lack of IOCs and specifics as well as its delayed publication. The risks of threat actors gaining "inside access" to GoDaddy's site redirection settings were another point made by Ducklin. Its ability to infect web servers without requiring attackers to directly alter server content is one of the biggest concerns it presents, according to him.
Stanley Lim, a software engineer at Snap Inc., reported about suspicious behaviour in a blog post on December 20, 2022, despite the fact that it took GoDaddy several months to publicly reveal the breach. As GoDaddy website owners complained about unusual redirects, Lim started looking into the issue and discovered that the redirect page varied depending on the IP address or location. The users were occasionally led to fraudulent websites.
Also, some users reported worries about shady redirect activity with their GoDaddy websites on the Cloudflare community forum in December. Even after taking many efforts to clean the websites of any virus or illicit access, some were baffled by the persistent reroute activity.
GoDaddy questioned
Even while GoDaddy claimed it remedied the situation and added security measures in the wake of the most recent attack, it is unclear how well it handled earlier security incidents and how those affected the most recent data breach. The seriousness of previous issues was brought to GoDaddy's attention by security researchers, who were dissatisfied with its reaction.
For instance, Zach Edwards, senior manager of the threat insights team at Human Security, wrote a blog post two years ago after learning that compromised GoDaddy websites have impacted U.S. government agencies, such as the Federal Disaster Management Agency. On Twitter last week, Edwards underscored that research and GoDaddy's inadequate response.
GoDaddy's answer to his investigation was mentioned in his blog post from December 2021. Parts of the company's response that seemed to downplay Edwards' worries about the hostile activity were described as "crazy" by Edwards.
GoDaddy replied to Edwards by writing, "We won't be reporting another SEC incident alleging a breach anytime soon. Consumers are in charge of the information on their websites."
Wordfence noted a spike in malware sightings on GoDaddy's managed WordPress service in 2022, about a year after GoDaddy acknowledged the WordPress breach. The CEO of Wordfence manufacturer Defiant Inc., Mark Maunder, disclosed that 298 websites—at least 281 of which were hosted by GoDaddy—were compromised with a backdoor. Wordfence appears to have received no feedback.
It's unclear whether the recent threat effort against GoDaddy is related to the heightened malware activity from last year.
![](https://pinterest.com/pin/create/bookmarklet/?media=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihofxn4hMLlcT-x1DU4NR6tzYIEpGRq1IU_xc1qNzpIANmq-qZ5iVKD36Wc9EnwwIJedkbBZwX4SKHbxJTdkwVsX9UhNsf76ygCTF72ifV7H7FR9iBD57bdPQKDmRDmioCNpys_JhBKIikWpRWUs8LknV4U6WzYjxfAv6qUhEiBa-b2nizZpwIUnPK/s600/pexels-tima-miroshnichenko-5380664.jpg&url=https://www.cysecurity.news/2023/02/security-experts-condemn-godaddys.html&description=Security Experts Condemn GoDaddy's Response to the "Multi-Year" Hack ){kind=link}