Cybersecurity and GoDaddy

Everyone knows of GoDaddy (https://www.godaddy.com/) and their services. Years ago, the business became a household name with their commercials. Since this time, the business has grown and become a bit more conservative, as evidenced by their website. This growth has made GoDaddy the world’s largest domain registrar with 19 million customers, 7 million managed domains, and millions of hosted websites. In comparison to GoDaddy’s peers, this is huge.

Breach

The short summary is there was a data breach focused on the web hosting account credentials. This is a rather serious issue for GoDaddy. With the amount of data held with the credentials and other confidential information held by GoDaddy from their clients, the targeting was no surprise.

The breach came to light in an indirect manner. The breach itself was not identified, but odd activity on a portion of the GoDaddy servers on April 17, 2020. Six days later on April 23, 2020, the customers affected were identified.

The breach itself allegedly occurred on October 19, 2019, or over six months ago, per the State of California Department of Justice. A notice was filed per the California Civil Code section 1798.29(e). This was disclosed by GoDaddy on May 4, 2020. The business only published and began to inform the affected persons in early May 2020.

This was confirmed by Demetrius Comes, the CISO, and vice-president of engineering.

Method

Naturally, GoDaddy initiated an investigation. The parties concluded the unauthorized person acquired the login credentials. This meant they could connect to the SSH for the compromised accounts. Access makes the attack specifically useful. Until the password was reset, the least the attacker could do would be to modify the websites with profane language, or inappropriate images.

Scope

Fortunately, this did not affect all the accounts. This did affect approximately 28k customers. This affected only the hosting accounts and did not involve the customer accounts, main GoDaddy.com customer account, or the personal information held within these. They do note, for what it’s worth, it does not appear any files were modified or added to the affected accounts. They were not able to definitely state if any of the files had been viewed or copied though. The latter is really where the issue is focused. If the files had been modified, this is clearly not a good thing. Since the business doesn’t know if these were viewed or copied, the conservative view is these were at least viewed and should be treated as such.

Mitigations

The business did take the conservative route, fortunately, and presumed there was access. To remove future issues on this specific point, the affected hosting account logins were toggled to require a reset. To assist and answer questions for the customers so the helpline was not inundated, an email was sent to the affected customers directing them to log in and the procedures to follow this. Without the reset, the customers would not have access to their hosting account. GoDaddy also, as a follow-up, the customers audit their hosting accounts for any anomalies. One of these may be admin accounts that were created by the unauthorized attacker.

When will this be over?

While the incident began over six months ago and the forensic work has been mostly completed, the investigation continues. It does appear GoDaddy’s actions did cease the attacker’s potential for access, GoDaddy is continuing to evaluate the breach’s effect across its environment. GoDaddy is not releasing much other information than what has been published already, unfortunately. The disclosure would be useful, as the other persons in the industry could learn from this.

Issues

Indeed, the breach on its own is an issue for obvious reasons. There are other significant, legitimate concerns though.

One of these is it is not known how many customers actually know their web hosting account credentials have been compromised. This is a problem, in that while the affected GoDaddy customers are unaware of their credentials floating through the internet we know and love, these may be used for malicious activities. In theory, if they wanted to bother the customers, they could log in, change the credentials and other information, and make it very difficult for the authentic owner to log into their account unless funds were to exchange hands. They may also access other information that they could use to the real owner’s detriment.

To investigate these matters certainly takes a significant amount of time. The evidence would be sparse and possibly spread among different systems, and difficult to correlate. The well-versed attacker would also attempt to remove their footprint from the attack(s) to further complicate the detection and forensic work. With all the factors combined, this is not such a simple task. Bearing this in mind, GoDaddy should have detected this well before the end of April 2020. Perhaps their SIEM should have picked some form of anomalous activity up prior to the over six-month mark. Having their private information simply on sale or possibly being used for other, unauthorized means is not acceptable. Once the baseline breach information was accumulated and work done forensically on the system, the users should have been notified. Granted this should not have been immediate, and done at the appropriate time. It does appear this time was extended for some reason. Possibly the business wanted to be conservative and wait an extended period in the hope other evidence would come to rise. Instead of attempting to balance this, the customers really should have been notified earlier.

GoDaddy is offering a year of complimentary security and malware removal for the affected customers, which it should. A year though is a minimum amount of time. If I were the attacker, I now know what the benchmark is and would game the system with starting the individual attacks a year and a few days later.

Trend?

This isn’t the only oversight reported in recent weeks. On March 31, 2020, the illustrious yet distinguished Brian Krebs reported a GoDaddy staff member was a victim of a spear-phishing attack. The attack, post establishing a foothold, pivoted and successfully attacked a limited number of other GoDaddy domain customers.

Last year also, attackers used hundreds of compromised GoDaddy accounts to create 15k subdomains. A portion of these was designed to impersonate popular website accounts. Or to redirect possible victims to spam pages. Earlier in 2019, GoDaddy was inserting JavaScript into its US customer’s websites, without their authorization.

In 2018, GoDaddy publicly exposed high-level configuration data for tens of thousands of systems in AWS. This was due to a cloud storage misconfiguration.

Resources

Admin. (2020, May 5). GoDaddy hack breaches hosting account credentials. Retrieved from https://www.burhani.co/godaddy-hack-breaches-hosting-account-credentials/

Ahmed, D. (2020, May 5). GoDaddy admits data breach affecting web hosting account credentials of unknown number of customers. Retrieved from https://www.hackread.com/godaddy-data-breach-hackers-access-ssh-accounts/

Chamberland, C. (2020, May 5). 28,000 GoDaddy hosting accounts compromised. Retrieved from https://www.wordfence.com/blog/2020/05/28000-godaddy-hosting-accounts-compromised/

Comes, D. (2020, May). Notification letter. Retrieved from https://www.documentcloud.org/documents/6882021-GoDaddy-Customer-Notification.html?/6882021-letter.html

Corfield, G. (2020, May 5). GoDaddy hack: Miscreant goes AWOL with 28,000 users’ SSH login creds after vandalizing server-side file. Retrieved from https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_details_compromised/

Digital Bulletin. (2020, May 6). GoDaddy suffers data breach to 28,000 customer accounts. Retrieved from https://www.digitalbullet.in/news/godaddy-suffers-data-breach-to-28000-customer-accounts

DigitalMunition. (2020, May 6). GoDaddy hack breaches hosting account credentials. Retrieved from https://www.digitalmunition.me/godaddy-hack-breaches-hosting-account-credentials/

Duckett, C. (2020, May 5). GoDaddy reports data breach involving SSH access on hosting accounts. Retrieved from https://www.zdnet.com/article/godaddy-reports-data-breach-involving-ssh-access-on-hosting-accounts/

Editor. (2020, May 5). GoDaddy hack breaches hosting account credentials. Retrieved from https://flizzyy.com/godaddy-hack-breaches-hosting-account-credentials/

Gatlan, S. (2020, May 4). GoDaddy notifies users of breached hosting accounts. Retrieved from https://www.bleepingcomputer.com/news/security/godaddy-notifies-users-of-breached-hosting-accounts/

GoDaddy. (2020, May). GoDaddy help. Retrieved from https://www.godaddy.com/help/my-website-was-hacked-what-should-i-do-19945

Krebs, B. (2020, March 31). Phish of GoDaddy employee jeopardized escrow.com, among others. Retrieved from https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/

Montti, R. (2020, May 6). GoDaddy hosting breach undetected for 6 months. Retrieved from https://www.searchenginejournal.com/godaddy-hosting-exploit/366324/#close

Nelius, J. (2020, May 5). GoDaddy was apparently hacked last year, so check your hosting account credentials. Retrieved from https://gizmodo.com/godaddy-was-apparently-hacked-last-year-so-check-your-1843265524

Plato. (2020, May 6). GoDaddy hack-Attackers gained SSH access to customer hosting accounts. Retrieved from https://zephyrnet.com/godaddy-hack-attackers-gained-ssh-access-to-customer-hosting-accounts/

Rushax. (2020, May). GoDaddy hack 2020. Retrieved from https://rushax.com/godaddy-hack-2020/

Seals, T. (2020, May 5). GoDaddy hack breaches hosting account credentials. Retrieved from https://milled.com/aranet-llc/new-post-godaddy-hack-breaches-hosting-account-credentials-KJta5z1ytxueGwNC

Sebenius, A. (2020, May 5). GoDaddy breach compromised credentials of 28,000 customers. Retrieved from https://www.bloomberg.com/news/articles/2020-05-05/godaddy-breach-compromised-credentials-of-28-000-customers and https://news.bloomberglaw.com/privacy-and-data-security/godaddy-breach-compromised-credentials-of-28-000-customers

Security Magazine. (2020, May 6). GoDaddy confirms data breach-28,000 customers affected. Retrieved from https://www.securitymagazine.com/articles/92314-godaddy-confirms-data-breach---28000-customers-affected

ThreatPost. (2020, May 5). GoDaddy hack breaches hosting account credentials. Retrieved from https://www.itsecuritynews.info/godaddy-hack-breaches-hosting-account-credentials/

Whitney, L. ( 2020, May 5). GoDaddy data breach shows why businesses need to better secure their customer data. Retrieved from https://www.techrepublic.com/article/godaddy-data-breach-shows-why-businesses-need-to-better-secure-their-customer-data/

Winder, D. (2019, May 5). GoDaddy confirms data breach: What customers need to know. Retrieved from https://www.forbes.com/sites/daveywinder/2020/05/05/godaddy-confirms-data-breach-what-19-million-customers-need-to-know/#3a91a6051daa

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.