Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years

One of the world’s largest hosters and domain name registrars, GoDaddy, reports that hackers have compromised the company’s infrastructure. Worse, the company concluded that this was just one in a series of related incidents. It turns out that unknown attackers had access to the company’s systems for several years, were able to install malware on its servers, and stole the source code.

Let me remind you that we also reported that the Epik hoster hack affected 15 million users, not just the company’s clients, and also that Fosshost, an Open-Source Project Hosting, Is Closing Down as Its Leader Disappeared.

According to a report filed by the company with the U.S. Securities and Exchange Commission, the security breach was discovered in December 2022, when customers began reporting that their sites were being used to redirect visitors to random domains. After conducting an investigation, GoDaddy experts came to disappointing conclusions:

Based on our investigation, we believe these incidents are part of a years-long campaign by an experienced group of attackers who, among other things, installed malware on our systems and obtained source code snippets related to certain services on GoDaddy.the company wrote.

It turned out that in December 2022, an attacker gained access to cPanel hosting servers, which customers use to manage sites hosted by GoDaddy. Then the hackers installed some kind of malware on the servers, and the malware “periodically redirected random client sites to malicious ones.”

In addition, incidents dated November 2021 and March 2020 are also reported to have been linked to these attackers.

Let me remind you that in 2021 it became known about the strange compromise of 1.2 million sites running on WordPress. All affected resources were hosted by GoDaddy, and then the company claimed that there was a hack and data leakage: the attackers gained access to the email addresses of all affected clients, their WordPress administrator passwords, sFTP and database credentials, and private SSL keys.

In 2020, GoDaddy notified 28,000 customers that in October 2019, attackers used their credentials to log into a hosting account and connect to their account via SSH.

Now, GoDaddy says it has found additional evidence linking these attackers to a larger malware campaign that has been going on for years against other hosting companies around the world.

We have evidence, and law enforcement confirms, that this incident is connected to an experienced and organized group targeting hosting companies such as GoDaddy. According to the information we have received, their most likely purpose is to infect websites and servers with malware to carry out phishing campaigns, spread malware and perform other malicious activities.the company said in a statement.

GoDaddy is known to have engaged third-party security experts in the ongoing investigation and is also working with law enforcement around the world to uncover the source of these years-long attacks.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *