GoDaddy Hacked – GoDaddy Announces Source Code Stolen and Malware Installed in Breach

Web hosting company GoDaddy has revealed that an unauthorized party gained access to its servers and installed malware, causing the intermittent redirection of customer websites.

“In early December 2022, we started receiving a small number of customer complaints about their websites being intermittently redirected,” the company wrote in a blog post on Thursday.

“Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.”

GoDaddy added that working with law enforcement, the company has confirmed the attack was executed by a “sophisticated and organized group” targeting various hosting services.

“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

Brad Hong, customer success lead at Horizon3.ai, said that attackers did not “hack” their way into GoDaddy but instead used known compromised credentials to log in and leave vectors for reentry.

“This supposed multi-year advanced persistent threat actor group remained undetected for so long following remediation and mitigation measures from GoDaddy’s numerous past data breach incidents,” Hong told Infosecurity in an email.

“As standard, GoDaddy pushed the onus for action right back to its consumers, advising them to audit their own websites and trust GoDaddy’s security team after trust was broken, all while offering them free ‘website security deluxe and express malware removal’ services instead of fortifying their own kingdom time and time again. Maybe they should’ve used it themselves?”

GoDaddy shared more information about the breach in a 10-K form filed on Thursday with the US Securities and Exchange Commission (SEC).

The incident comes weeks after a malicious campaign targeting victims across the Middle East and North Africa was spotted using public cloud hosting services to host malicious CAB files and themed lures to spur Arabic speakers into opening infected files.

1.      GoDaddy Suffers Three-Year Cyberattack Siege by Hackers

GoDaddy revealed in a SEC filing on Thursday that it had found evidence of persistent hackers who had stolen some of its source code and placed malware on its network. The company says that in December 2022, customers began claiming that their websites were inexplicably being diverted to other domains. The company has not specified how many customers reported this. They believe the that hackers’ goal was to infect websites and servers with malware for phishing attacks, malware distribution, and other nefarious activities.

What’s worse is that GoDaddy believes these hackers are the same ones that have been giving them problems since 2020. They also noted in their SEC filing that in March of 2020, they noted that they, “discovered a threat actor compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel.” The SEC filing also states, “In November 2021, using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress (MWP), which impacted up to 1.2 million active and inactive MWP customers across multiple GoDaddy brands.”

That is certainly a damaging run of cyber attacks for one of the biggest hosting brands out there.

2.      Cybersecurity Incident at MKS Blamed for Sales Shortfall for Applied Materials

Silicon Valley based Applied Materials, which is one of the world’s largest suppliers of equipment, services and software for the manufacture of semiconductor chips for various types of electronics, recently announced on their earnings call that their financials would be significantly impacted due to a “cybersecurity event” at a large supplier of theirs.

In the recent investor call, Gary Dickerson (President & CEO) noted, “Very recently, one of our major suppliers encountered a disruption that will impact our second quarter shipments. Brice will provide more details about this when he shares our guidance.” Brice Hill (CFO), later noted, “This guidance includes a negative adjustment of $250 million related to a cybersecurity event that was recently announced by one of our suppliers.” While Hill did not name the supplier, there has been much speculation that it is MKS Instruments Inc.

Reuters reported back on February 6 that MKS was investigating a ransomware attack. This situation is a stark reminder of just how fragile the supply chain can be, and the dire consequences of poor cybersecurity controls at critical third-party organizations. The importance of an effective third-party risk management program has never been more important.

3.      CNN Reports that FBI Systems Were Breached by Hackers

On Friday, in an exclusive report, CNN reported that the FBI’s systems were breached by hackers, although, what they were able to gain access to was limited. According to CNN’s sources, the event took place at the New York Field Office, and the attack deliberately targeted the systems utilized for the organization’s investigation of child exploitation images.

Details surrounding the hack were hard to come by apparently, as the CNN report was rather light on details. In a statement to CNN, the FBI had the following to say, “The FBI is aware of the incident and is working to gain additional information. This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.

It will be interesting to follow this story to see if anything further comes from this. It is hard to understand why and how a system that would hold this type of CSAM information would be hacked, and it leaves so many questions.

Agnes Berry