GoDaddy discloses a new data breach

Pierluigi Paganini February 18, 2023

GoDaddy discloses a security breach, threat actors have stolen source code and installed malware on its servers in a long-runing attack.

Web hosting company GoDaddy announced that attackers have stolen source code and installed malware on its servers. The threat actors have breached its cPanel shared hosting environment, the company states that it is not able to determine the timing of the initial compromise, however, it is still investigating the breach to determine the root cause of the incident.

The malware installed on the systems of the company was intermittently redirecting random customer websites to malicious sites.

The security breach was discovered in December 2022 after customer reported that their sites were being used to redirect to random domains.

The company believes that it was the victim of an attack conducted by a sophisticated threat actor, it also added that the attacks have not impacted their business or operations.

The web hosting company revealed to have evidence linking the threat actors to the attacks to other web hosting provides worldwide over the years.

“We are working with multiple law enforcement agencies around the world, in addition to forensics experts, to further investigate the issue. We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy.” reads a statement from the company. “According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

According to the company, the attack is part of a multi-year campaign that was the cause of the data breaches disclosed in November 2021, which impacted 1.2 million customers, and March 2020, which exposed data of 28,000 customers.

“In December 2022, an unauthorized third party gained access to and installed malware on our cPanel hosting servers. The malware intermittently redirected random customer websites to malicious sites.” reads a FORM- 10-K filed with SEC. “Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.”

The company announced that it will continue to invest to secure its infrastructure, but warns that threat actors are becoming even more aggressive a sophisticated and that current geopolitical situation is worsening the situation.

“Advances in computer capabilities, discoveries of new weaknesses, increased likelihood of nation-state cyber attacks (including retaliatory cyber attacks by Russia in response to economic sanctions resulting from the Russia-Ukraine military conflict), and other developments with software generally used by the Internet community, such as the Meltdown and Spectre vulnerabilities, which exploit security flaws in chips manufactured in the last 20 years, the Shellshock vulnerability in the Linux Bash shell, the Log4Shell vulnerability in the widely used logging library Log4j, continually evolving ransomware attacks, or developments related to vendor software (e.g., SolarWinds Orion product incident), also increase the risk that we, or our customers using our servers and services, will suffer a security breach.” concludes the company. “We expect to continue to expend significant resources to protect against security breaches and other data security incidents. The risk that these types of events could seriously harm our business is likely to increase as we expand the number of cloud-based products we offer and operate in more countries.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

you might also like

leave a comment