Everyone knows of GoDaddy (https://www.godaddy.com/)
and their services. Years ago, the business became a household name with their
commercials. Since this time, the business has grown and become a bit more
conservative, as evidenced by their website. This growth has made GoDaddy the
world’s largest domain registrar with 19 million customers, 7 million managed
domains, and millions of hosted websites. In comparison to GoDaddy’s peers,
this is huge.
Breach
The short summary is there was a data breach focused on the
web hosting account credentials. This is a rather serious issue for GoDaddy.
With the amount of data held with the credentials and other confidential
information held by GoDaddy from their clients, the targeting was no surprise.
The breach came to light in an indirect manner. The breach
itself was not identified, but odd activity on a portion of the GoDaddy servers
on April 17, 2020. Six days later on April 23, 2020, the customers affected were
identified.
The breach itself allegedly occurred on October 19, 2019, or
over six months ago, per the State of California Department of Justice. A notice
was filed per the California Civil Code section 1798.29(e). This was disclosed
by GoDaddy on May 4, 2020. The business only published and began to inform the
affected persons in early May 2020.
This was confirmed by Demetrius Comes, the CISO and vice-president
of engineering.
Method
Naturally, GoDaddy initiated an investigation. The parties
concluded the unauthorized person acquired the login credentials. This meant
they could connect to the SSH for the compromised accounts. Access makes
the attack specifically useful. Until
the password was reset, the least the attacker could do would be to modify the
websites with profane language, or inappropriate images.
Scope
Fortunately, this did not affect all the accounts. This did
affect approximately 28k customers. This affected only the hosting accounts and
did not involve the customer accounts, main GoDaddy.com customer account, or
the personal information held within these. They do note, for what it’s worth, it
does not appear any files were modified or added to the affected accounts.
They were not able to definitely state if any of the files had been viewed or
copied though. The latter is really where the issue is focused. If the files
had been modified, this is clearly not a good thing. Since the business doesn’t
know if these were viewed or copied, the conservative view is these were at
least viewed and should be treated as such.
Mitigations
The business did take the conservative route, fortunately,
and presumed there was access. To remove future issues on this specific
point, the affected hosting account logins were toggled to require a reset. To
assist and answer questions for the customers so the helpline was not
inundated, an email was sent to the affected customers directing them to log in
and the procedures to follow this. Without the reset, the customers would not
have access to their hosting account. GoDaddy also, as a follow-up, the
customers audit their hosting accounts for any anomalies. One of these may be
admin accounts that were created by the unauthorized attacker.
When will this be
over?
While the incident began over six months ago and the forensic
work has been mostly completed, the investigation continues. It does appear GoDaddy’s
actions did cease the attacker’s potential for access, GoDaddy is continuing to
evaluate the breach’s effect across its environment. GoDaddy is not releasing
much other information than what has been published already, unfortunately. The
disclosure would be useful, as the other persons in the industry could learn
from this.
Issues
Indeed, the breach on its own is an issue for obvious
reasons. There are other significant, legitimate concerns though.
One of these is it is not known how many customers actually
know their web hosting account credentials have been compromised. This is a problem,
in that while the affected GoDaddy customers are unaware of their credentials
floating through the internet we know and love, these may be used for malicious
activities. In theory, if they wanted to bother the customers, they could log
in, change the credentials and other information, and make it very difficult
for the authentic owner to log into their account unless funds were to
exchange hands. They may also access other information that they could use to
the real owner’s detriment.
To investigate these matters certainly takes a significant
amount of time. The evidence would be sparse and possibly spread among different
systems, and difficult to correlate. The well-versed attacker would also
attempt to remove their footprint from the attack(s) to further complicate the detection
and forensic work. With all the factors combined, this is not such a simple
task. Bearing this in mind, GoDaddy should have detected this well before the
end of April 2020. Perhaps their SIEM
should have picked some form of anomalous activity up prior to the over six-month mark. Having their private information simply on sale or possibly being
used for other, unauthorized means is not acceptable. Once the baseline breach
information was accumulated and work done forensically on the system, the users
should have been notified. Granted this should not have been immediate, and
done at the appropriate time. It does appear this time was extended for some
reason. Possibly the business wanted to be conservative and wait an extended
period in the hope other evidence would come to rise. Instead of attempting to
balance this, the customers really should have been notified earlier.
GoDaddy is offering a year of complimentary security and
malware removal for the affected customers, which it should. A year though is a
minimum amount of time. If I were the attacker, I now know what the benchmark
is and would game the system with starting the individual attacks a year and a
few days later.
Trend?
This isn’t the only oversight reported in recent weeks. On
March 31, 2020, the illustrious yet distinguished Brian Krebs reported a
GoDaddy staff member was a victim of a spear-phishing attack. The attack, post
establishing a foothold, pivoted and successfully attacked a limited number of
other GoDaddy domain customers.
Last year also, attackers used hundreds of compromised
GoDaddy accounts to create 15k subdomains. A portion of these was designed to
impersonate popular website accounts. Or to redirect possible victims to spam
pages. Earlier in 2019, GoDaddy was inserting JavaScript into its US customer’s
websites, without their authorization.
In 2018, GoDaddy publicly exposed high-level configuration data
for tens of thousands of systems in AWS. This was due to a cloud storage
misconfiguration.
Resources
Admin. (2020, May 5). GoDaddy hack breaches hosting account
credentials. Retrieved from https://www.burhani.co/godaddy-hack-breaches-hosting-account-credentials/
Ahmed, D. (2020, May 5). GoDaddy admits data breach
affecting web hosting account credentials of unknown number of customers.
Retrieved from https://www.hackread.com/godaddy-data-breach-hackers-access-ssh-accounts/
Chamberland, C. (2020, May 5). 28,000 GoDaddy hosting
accounts compromised. Retrieved from https://www.wordfence.com/blog/2020/05/28000-godaddy-hosting-accounts-compromised/
Comes, D. (2020, May). Notification letter. Retrieved from https://www.documentcloud.org/documents/6882021-GoDaddy-Customer-Notification.html?/6882021-letter.html
Corfield, G. (2020, May 5). GoDaddy hack: Miscreant goes
AWOL with 28,000 users’ SSH login creds after vandalizing server-side file.
Retrieved from https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_details_compromised/
Digital Bulletin. (2020, May 6). GoDaddy suffers data breach
to 28,000 customer accounts. Retrieved from https://www.digitalbullet.in/news/godaddy-suffers-data-breach-to-28000-customer-accounts
DigitalMunition. (2020, May 6). GoDaddy hack breaches
hosting account credentials. Retrieved from https://www.digitalmunition.me/godaddy-hack-breaches-hosting-account-credentials/
Duckett, C. (2020, May 5). GoDaddy reports data breach
involving SSH access on hosting accounts. Retrieved from https://www.zdnet.com/article/godaddy-reports-data-breach-involving-ssh-access-on-hosting-accounts/
Editor. (2020, May 5). GoDaddy hack breaches hosting account
credentials. Retrieved from https://flizzyy.com/godaddy-hack-breaches-hosting-account-credentials/
Gatlan, S. (2020, May 4). GoDaddy notifies users of breached
hosting accounts. Retrieved from https://www.bleepingcomputer.com/news/security/godaddy-notifies-users-of-breached-hosting-accounts/
GoDaddy. (2020, May). GoDaddy help. Retrieved from https://www.godaddy.com/help/my-website-was-hacked-what-should-i-do-19945
Krebs, B. (2020, March 31). Phish of GoDaddy employee
jeopardized escrow.com, among others. Retrieved from https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/
Montti, R. (2020, May 6). GoDaddy hosting breach undetected
for 6 months. Retrieved from https://www.searchenginejournal.com/godaddy-hosting-exploit/366324/#close
Nelius, J. (2020, May 5). GoDaddy was apparently hacked last
year, so check your hosting account credentials. Retrieved from https://gizmodo.com/godaddy-was-apparently-hacked-last-year-so-check-your-1843265524
Plato. (2020, May 6). GoDaddy hack-Attackers gained SSH
access to customer hosting accounts. Retrieved from https://zephyrnet.com/godaddy-hack-attackers-gained-ssh-access-to-customer-hosting-accounts/
Rushax. (2020, May). GoDaddy hack 2020. Retrieved from https://rushax.com/godaddy-hack-2020/
Seals, T. (2020, May 5). GoDaddy hack breaches hosting
account credentials. Retrieved from https://milled.com/aranet-llc/new-post-godaddy-hack-breaches-hosting-account-credentials-KJta5z1ytxueGwNC
Sebenius, A. (2020, May 5). GoDaddy breach compromised
credentials of 28,000 customers. Retrieved from https://www.bloomberg.com/news/articles/2020-05-05/godaddy-breach-compromised-credentials-of-28-000-customers
and https://news.bloomberglaw.com/privacy-and-data-security/godaddy-breach-compromised-credentials-of-28-000-customers
Security Magazine. (2020, May 6). GoDaddy confirms data
breach-28,000 customers affected. Retrieved from https://www.securitymagazine.com/articles/92314-godaddy-confirms-data-breach---28000-customers-affected
ThreatPost. (2020, May 5). GoDaddy hack breaches hosting
account credentials. Retrieved from https://www.itsecuritynews.info/godaddy-hack-breaches-hosting-account-credentials/
Whitney, L. ( 2020, May 5). GoDaddy data breach shows why
businesses need to better secure their customer data. Retrieved from https://www.techrepublic.com/article/godaddy-data-breach-shows-why-businesses-need-to-better-secure-their-customer-data/
Winder, D. (2019, May 5). GoDaddy confirms data breach: What
customers need to know. Retrieved from https://www.forbes.com/sites/daveywinder/2020/05/05/godaddy-confirms-data-breach-what-19-million-customers-need-to-know/#3a91a6051daa
No comments:
Post a Comment