GoDaddy said on Friday that hackers have compromised their hosting infrastructure, stealing company source code, employee credentials, and installing malware on customer cPanel hosting accounts for years.
The hacker’s identities and origins are unknown, according to GoDaddy, but this is not the first breach or cyber incident for the hosting company. GoDaddy reportedly discovered the latest security breach after several customer reports were filed in December 2022.
The most recent event occurred when hackers were able to gain access to the cPanel hosting servers customers use to deploy common applications and manage their hosting services. The attackers were then able to redirect legitimate website traffic to phishing campaigns, malware distribution, and other malicious activities.
GoDaddy: “hacks were highly sophisticated, not easily reproducible”
GoDaddy believes that the “highly sophisticated” threat group was able to operate for so long because the attacks were “not easily reproducible by GoDaddy, even on the same website.”
But, the company now admits that all three times it was hacked, it was the same threat group.
According to BleepingComputer, GoDaddy alerted 28,000 customers that an attacker abused web credentials in October 2019 to connect to a hosting account via SSH. This would date malicious activity by the unnamed threat group 3 and a half years ago.
GoDaddy provides hosting services to over 20 million customers worldwide, with revenue in 20222 of almost $4 billion.
Hacking, malware, ransomware on hosting providers an emerging concern
As threat groups continue to escalate in capabilities and scale, attacking hosting providers in recent years is becoming a more common reality.
In December 2022, hosting company Rackspace confirmed that a cyber incident had taken part of its services offline. It later confirmed in January of this year that the attack was on its on-premises hosted Microsoft Exchange platform, where it previously provided hosted private email services. The attackers were able to access private customer Exchange accounts.
Rackspace also clarified that the extent of the cyber incident included a ransomware attack on Rackspace’s network. They have since shut down their hosted private email services utilizing Exchange.
Microsoft has since warned its customers of hosted Exchange services to apply all critical updates and patches to mitigate known vulnerabilities.
