Presenting an exposed to the United States Securities and Exchange Commission (SEC) on the morning of November 22, GoDaddy denounces yet another cyber attack suffered followed by a data breach that has exhibited a large number of its customers.
GoDaddy data breach: what happened
Based on what was filed through the company’s official channels, we learn that an outside attacker had unauthorized access to infrastructure management servers (probably due to a compromised password) that takes care of hosting WordPress websites.
Defense strategies and techniques against attacks: how Network Security changes
Let’s analyze some details in order to then think about what happened.
GoDaddy discovered the problem, through anomalous traffic in that sector (related to hosting in a WordPress environment) of its infrastructure, on November 17, but from the first analyzes carried out by the company it appears that the attackers had had the first unauthorized access even the 6 September last.
During the period from September 6, 2021 to November 17, 2021, sFTP and active customer database usernames and passwords were accessible to the attacker.
In fact, it was in this period of time that the attackers managed to exfiltrate the large number of data relating to 1.2 million customers, until on November 17 the company managed to suspend this illegal activity in progress.
The forensic investigations of the competent authorities are still in the preliminary phase and the company announces that it is doing everything to limit the damage, revoking the passwords victim of this attack in order to regenerate them, as well as for the sFTP and DB accesses.
In addition to this data, the malicious operators also gained access, by exfiltrating them, to the private SSL keys for the certificates that make customer sites work under the HTTPS protocol.
An important detail of the GoDaddy data breach
We have learned what happened, now we must dutifully reflect on how this was possible.
There is a detail that should be added to the damage list just above: passwords that have been stolen, related to the sFTP access service, have been stored by GoDaddy as plain text, in clear text, or in a way that still allowed for easy conversion to clear text.
You can empirically verify this strongly discouraged business practice by logging into the GoDaddy hosting service control panel and noting that your password is auto-filled in the specific field. When a password is instead stored as a public key or with a hashing practice, this detail cannot be displayed, solely because the provider does not have that detail, it does not know it at all.
Remember that storing hashes of these passwords or providing authentication with public key, are both best practices in the sector: the storage of sensitive data in the clear such as passwords is always strongly discouraged.
Also, the port used for sFTP is number 22, this means that the FTP (file transfer) service is ensured by the encryption guaranteed by SSH. Therefore, leaving a password of this type in the clear, which is nothing more than the SSH access to the system (reading / writing the filesystem of the entire system, to be clear) is certainly something very wrong and dangerous.
Let’s think about the impact that the attack produces
The scenarios that can now be configured are different, in any case for each one must pay the utmost attention (if affected by the accident), because they have wide margins of risk.
GoDaddy ensured that it immediately alerted all affected customers, revoked their login passwords which will now need to be regenerated and also revoked the private SSL keys that were stolen.
All this is good, even more so given the timeliness of action. But the attackers had about 70 days to steal information and data from the servers, but also to upload malware on various hosting sites, or create unauthorized user access to hosted websites.
This would open a scenario of persistence on the attack, despite the initial remediation. What we recommend is therefore, if you have a WordPress site hosted on GoDaddy, to do a general survey of all the critical points of the site:
- check the list of users with administrative privileges;
- reset passwords of internal users;
- immediately enable two-factor authentication (by default for all users of your site) if not already used.
Another scenario that can be configured is that some WordPress site hosted on GoDaddy ran an e-commerce store (with WordPress there are many plugins and themes capable of doing this): in this case the attacker may have also exfiltrated sensitive data related to payments or credit cards. In this case, these customers may also find themselves obliged to notify their customers in cascade about the incident.
SSL private keys, if accompanied by an attack Man-in-the-middle, could be useful for decrypting traffic from targeted sites and therefore stealing the contents of communications (passwords, credit card numbers, personal data that may be entered by the customer, etc.).
We cannot fail to remember to pay the utmost attention to the phishing, coming in the near future, as with a body of personal and contact data like this, attacks of this type will begin very soon. Consequently, it is advisable to always check the senders of any e-mails and SMS messages received very carefully, especially before deciding to click or not on a specific link within the message.
Who is GoDaddy?
The company is based in Tempe, Arizona and with its 20 million active customers is certainly one of the largest domain registrars and hosting providers in the world. In the hours following the release of the release and the news that followed quickly, its shares fell by 3.15 dollars (4.42% of the reference value).
GoDaddy has experienced cybersecurity incidents in the past. In fact, this isn’t the first time the company has experienced a security breach. In 2018, due to an error in Amazon Web Services (AWS), GoDaddy’s internal data was exposed. In 2020, 28,000 hosting service accounts were compromised by another security incident.
Tips and practice tools to defend against cyber attacks
@ALL RIGHTS RESERVED