>
An unknown threat actor has been in GoDaddy’s systems for years, installing malware, stealing source code and attacking the company’s customers, the web hosting giant confirmed in an SEC filing late last week.
By the submit (opens in new tab) (through Beeping computer (opens in new tab)), the attackers broke into GoDaddy’s cPanel shared hosting environment and used it as a starting point for further attacks. The company described the hackers as an “advanced threat actor group”.
The group finally got noticed when customers started reporting that traffic coming to their websites was being redirected elsewhere in late 2022.
Links to previous incidents
Now GoDaddy believes that the data breaches reported in March 2020 and November 2021 were all related.
“Based on our investigation,” it wrote in the filing, “we believe these incidents are part of a multi-year campaign by an advanced group of threat actors that, among other things, installed malware on our systems and obtained bits of code related to some services. within GoDaddy,”
During the November 2021 incident, the attackers gained access to the user data of approximately 1.2 million of its customers. This included both active and inactive users, revealing email addresses and customer numbers.
The company also said that the original WordPress admin password, which was created once a fresh installation of WordPress is completed, was also exposed, allowing attackers to access those installations.
GoDaddy also revealed that active customers exposed their sFTP credentials and the usernames and passwords for their WordPress databases, which are used to store all of their content, during the breach.
However, in some cases, the customer’s private SSL keys were exposed, and if this key was misused, an attacker could impersonate a customer’s website or other services.
While GoDaddy has reset customers’ WordPress passwords and private keys, it is currently in the process of issuing new SSL certificates.
In a rack (opens in new tab) published in February 2023, the web hosting giant claims to have employed an outside cybersecurity forensic team and enlisted law enforcement agencies from around the world to investigate the matter further.
It is also now clear that attacks against GoDaddy were part of a wider campaign against web hosting companies around the world.
“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group that targets hosting services like GoDaddy.”
“According to information we have received, their apparent purpose is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”