GoDaddy announced in a statement on Thursday that it had found malware installed on its network by hackers who infiltrated its systems and stole portions of its code. The intrusion was discovered in December 2022 after some customers reported that their websites were being redirected to other domains. The company has not disclosed the number of affected customers. GoDaddy is investigating the breach and collaborating with law enforcement. According to the company, the hackers’ objective is to infect websites and servers with malware for phishing campaigns, malware distribution, and other nefarious activities.
According to an SEC filing, web hosting provider GoDaddy has revealed that its cPanel shared hosting environment was breached by unknown attackers who installed malware and stole source code. The company became aware of the security breach in early December 2022 when customers reported their sites were being redirected to random domains. However, the attackers had already gained access to GoDaddy’s network for multiple years. GoDaddy stated that the incidents are part of a multi-year attack by a sophisticated threat actor group who also stole pieces of code related to some of its services.
According to GoDaddy, a sophisticated and organized group of threat actors has been targeting hosting services like GoDaddy as part of a broader campaign that has affected other hosting companies worldwide over the years. The company recently discovered evidence linking the group to a breach of its own network in which hackers installed malware and stole parts of its code. The hackers’ apparent goal is to use these compromised systems for malicious activities such as phishing campaigns and malware distribution.
GoDaddy is a major domain registrar and hosting provider with over 20 million customers globally. Despite numerous attempts to expel them, the hackers responsible for the breach had been present in the company’s network since at least March 2020. In fact, GoDaddy believes that the same group was behind a previous incident in which they stole login credentials from 28,000 customers and some of the company’s staff. The company is now investigating the breach and working with law enforcement to identify and bring the perpetrators to justice.
In October 2019, an attacker used the web hosting account credentials of 28,000 GoDaddy customers to gain unauthorized access via SSH. GoDaddy notified the affected customers of the breach.
In November 2021, the same group of threat actors used a stolen password to compromise the WordPress instances of 1.2 million customers. This led to a data breach where the attackers accessed the email addresses, usernames, passwords, sFTP and database credentials of all impacted customers, as well as the SSL private keys of some active clients. GoDaddy believes that these incidents are part of a multi-year campaign by a sophisticated threat actor group.
In a statement, GoDaddy expressed regret for any inconvenience caused to its customers or visitors to their websites and promised to improve the security of its systems based on lessons learned from the incident. However, this apology and security enhancement pledge may have been more comforting if this was not the third time that the same hacker group had breached GoDaddy in as many years.
Currently, GoDaddy is collaborating with external cybersecurity forensic experts and law enforcement agencies around the world to investigate the cause of the breach.
Go to Source
Author: Sergiu Gatlan