An unknown threat actor has been sitting inside GoDaddy systems for years, installing malware, stealing source code and attacking customers of the company's service, the web hosting giant confirmed in a presentation in front of the SEC late last week.
According to the presentation (opens in a new tab) (via BleepingComputer (opens in a new tab)), the attackers breached GoDaddy's cPanel shared hosting environment and used it as a launching pad for new attacks. The company described the hackers as a "set of complex threat actors."
The set was finally caught when customers of the service began reporting in late XNUMX that traffic coming to their sites was being redirected elsewhere.
Links to previous incidents
GoDaddy now believes that the data breaches reported in the third month of XNUMX and November XNUMX were all related.
"Based on our investigation," he wrote in the filing, "we believe these incidents are part of a multi-year campaign by a complex set of malicious actors who, among many other things, installed malware on our systems and obtained code snippets related to certain services within GoDaddy",
In the November XNUMX mishap, the attackers accessed the user data of about XNUMX million of their service customers. This included both active and inactive users, with exposed email addresses and customer numbers.
The company also claimed that the original WP admin access key, created after a new WP installation was completed, was also exposed, allowing attackers to access those installations.
GoDaddy also discovered that active customers of the service had their sFTP credentials and usernames and passwords for their WP databases, which are used to store their content, exposed in the leak.
However, in certain cases, the private SSL keys of the service client have been exposed and, if used incorrectly, this key could allow an attacker to impersonate a service client's site or other services.
Although GoDaddy has reinstated the private keys and WP access keys of the service's customers, it is currently in the process of issuing them new SSL certificates.
In a statement (opens in a new tab) issued in February XNUMX, the web hosting giant claims to have employed an external cybersecurity forensics team and calls on law enforcement around the globe to stop to study the case further.
It's also now clear that the attacks on GoDaddy were part of a larger campaign against web hosting companies across the globe.
“We have evidence, and the police have confirmed it, that this mishap was committed by a complex and organized group that focuses on hosting services like GoDaddy.”
"Based on information we have received, its apparent purpose is to infect sites and servers with malware for phishing campaigns, malware distribution, and other malicious activities."