Alex - stock.adobe.com

GoDaddy's response to 'multi-year' breach criticized

GoDaddy took nearly three months to disclose that attackers breached the company in a multi-year campaign, and customers are still in the dark about the details of the attack.

GoDaddy is facing criticism from some in the infosec community after it confirmed a major breach last week in which threat actors may have had access to the company's network for several years.

In a statement to its website and 10-K Securities and Exchange Commission (SEC) filing last week, GoDaddy revealed it discovered the breach in December following customer complaints. An ongoing investigation with law enforcement determined that after gaining access to GoDaddy's corporate network, unknown threat actors installed malware on its cPanel hosting servers, which intermittently redirected customer websites to malicious sites.

"We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy," the company said in its statement. GoDaddy is one of the largest domain registrars and hosting providers, with more than 21 million customers. "According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities."

In its 10-K filing, GoDaddy said the breach is connected to security incidents from as early as March 2020, when attackers stole more than 20,000 login credentials, and November 2021, when an attacker hacked into its Managed WordPress hosting service and stole SSL keys, affecting up to 1.2 million customers.

"Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy," GoDaddy wrote in the SEC filing.

Despite the two disclosures, GoDaddy has not shared any technical details or indicators of compromise (IOCs) to assist customers in defending against the ongoing threat. Additionally, the company took more than two months to disclose the breach.

Paul Ducklin, principal research scientist at Sophos, criticized the delayed disclosure and the lack of IOCs or details of the attack in a blog post Monday. Ducklin also highlighted the dangers of threat actors obtaining "insider access" to web redirection settings at GoDaddy. One of the most significant threats it poses, he said, is that web servers can be compromised without attackers having to modify the contents of the servers directly.

"Unfortunately, GoDaddy took nearly three months to tell the world about this breach, and even now there's not a lot go on," Ducklin wrote in the blog. "Let's hope that it doesn't take another three months for the company to tell us what it uncovers in the course of the investigation, which appears to stretch back three years or more …"

Though it took GoDaddy months to publicly disclose the breach, Stanley Lim, software engineer at Snap Inc., wrote about suspicious activity in a blog post on Dec. 20, 2022. After GoDaddy website owners reported experiencing strange redirects, Lim began investigating and found the redirect page changed, depending on IP or location. In some instances, the users were redirected to phishing sites.

"In general, the attack is widespread, where we can find many compromised websites with a simple Google search of the attacking website's IP address," Lim wrote in the blog.

In addition, several users posted concerns on Cloudflare's community forum in December about suspicious redirect activity with their GoDaddy websites. Some were perplexed by the continued redirect activity, even after taking several steps to rid the websites of any malware or malicious access.

GoDaddy's defenses, response questioned

While GoDaddy stated it remediated the situation and implemented additional security measures following the most recent attack, it is unclear how effective it was in addressing past security incidents and how that affected the most recent data breach. Security researchers alerted GoDaddy to the severity of incidents in the past, and were unhappy with its response.

For example, Zach Edwards, senior manager of Human Security's threat insights team, published a blog two years ago, after he discovered compromised GoDaddy websites affected U.S. government organizations, including the Federal Emergency Management Agency. Edwards highlighted that research on Twitter last week and emphasized GoDaddy's poor response.

His blog post from December 2021 included GoDaddy's response to his research. Edwards referred to parts of the company's statement, which appeared to dismiss his concerns about the malicious activity, as "ridiculous."

"We will not be filing another SEC incident about a breach anytime soon," GoDaddy wrote in its response to Edwards. "Customers are responsible for the content of their websites."

In 2022, nearly one year after GoDaddy disclosed the WordPress compromise, Wordfence reported an increase in malware sightings on GoDaddy's managed WordPress service. Mark Maunder, CEO at Defiant Inc., makers of Wordfence, revealed a backdoor infected 298 sites, of which at least 281 were hosted with GoDaddy. It appears Wordfence received no response.

It's unclear if the increased malware activity last year was connected to the current threat campaign against GoDaddy. Wordfence had not responded to request for comment at press time.

Adnan Shah, application security engineer at Snapsec, also criticized GoDaddy's response to the breach. Because GoDaddy said the most recent incident was linked to past data breaches, Shah raised concerns over GoDaddy's ability to "identify and address vulnerabilities, or to remove any installed malware at an earlier stage." Additionally, the fact that this is a multi-year campaign is alarming.

"Had the company taken action sooner, the potential harm to customers might have been minimized or even prevented altogether," Shah wrote in the blog post.

GoDaddy told TechTarget Editorial it had no additional information to share beyond the statement and 10-K filing.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Application and platform security