Internet domain registrar GoDaddy recently announced that it has experienced a cyberattack on its infrastructure, which is believed to be part of a larger series of incidents that date back to 2020.
The company has provided details of these attacks in its annual report, known as Form 10-K, which is a formal requirement for listed entities in the U.S.
What happened?
In December 2022, experts detected that an unauthorized third party had gained access to the company's cPanel hosting servers and installed malware. This resulted in random customer websites being intermittently redirected to malicious sites.
URL redirection: the secret ingredient
URL redirection is a legitimate aspect of HTTP and is commonly utilized for various purposes.
- Gaining access to a company's web redirection settings provides a means of hacking their web servers without directly altering the server's content.
- By discreetly redirecting server requests to content set up elsewhere, the data on the server itself remains unchanged.
- If anyone were to review their access and upload logs in search of evidence of unauthorized logins or unexpected alterations to the HTML, CSS, PHP, and JavaScript files that comprise their website's official content, they would not discover anything unusual because their data remains unaltered.
To make matters worse, if attackers only initiate malicious redirects sporadically, it can be difficult to detect the subterfuge. This appears to be what happened to GoDaddy.
Connecting the dots
- According to the filing, there was an attack in March 2020 that resulted in approximately 28,000 hosting customers' login credentials being compromised, along with the login credentials of a small number of personnel.
- Additionally, there was a breach of the company's hosted WordPress service in November 2021.
The bottom line
GoDaddy took almost three months to disclose the breach, and there's little information available. If you have visited a GoDaddy-hosted site since December 2022, there are no IOCs to look for. While the company refers to the breach as recent, its 10-K filing suggests it could have been ongoing for longer.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/713d_shutterstock_1077998936.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_93868189.jpg)
