Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label GoDaddy. Show all posts

GoDaddy, a Web Hosting Provider Hit Multiple Times by the Same Group

 

This month, GoDaddy, a leading web hosting provider, revealed that it had experienced a major security breach over several years, resulting in the theft of company source code, customer and employee login credentials, and the introduction of malware onto customer websites. 

It means that the hackers were able to access and modify certain websites hosted by GoDaddy, in a way that allowed them to install malicious software (malware) onto these websites. This malware could then potentially harm visitors to these sites by stealing their personal information, infecting their devices, or performing other malicious actions. 

While much of the media attention has focused on the fact that GoDaddy was targeted by the same group of hackers in three separate attacks. The threat actors typically employ social engineering tactics such as calling employees and luring them to a phishing website. 

While reporting the matter to the U.S. Securities and Exchange Commission (SEC) the company said that the same group of hackers was responsible for three separate security breaches, including: 

In March 2020, a phishing attack on an employee resulted in compromised login credentials for around 28,000 GoDaddy customers and a few employees. 

In November 2021, attackers stole source code and information related to 1.2 million customers by using a compromised GoDaddy password, including website administrator passwords, sFTP credentials, and private SSL keys. 

In December 2022, hackers accessed GoDaddy's cPanel hosting servers and installed malware that redirected some customer websites to malicious sites intermittently. 

We don't have much information about the cause of the November 2021 incident, except that GoDaddy has said it involved a compromised password and took two months to discover. For the December 2022 malware breach, GoDaddy has not disclosed how it occurred. 

However, we do know that the March 2020 attack was initiated through a spear-phishing attack on a GoDaddy employee. While GoDaddy had initially described the incident as a social engineering attack, one of their affected customers actually spoke directly to one of the hackers involved. 

GoDaddy is a company with around 7,000 employees and an additional 3,000 workers through outsourcing firms in India, the Philippines, and Colombia. 

When employees log in to company resources online, many companies require them to use a one-time password along with their regular username and password. This password can be sent via SMS or generated by an app. But this type of security measure can be easily bypassed by phishing attacks that ask for a one-time password along with the regular password. 

However, using physical security keys is a multi-factor option that is resistant to advanced phishing scams. These keys are inexpensive USB devices that implement Universal 2nd Factor (U2F) multi-factor authentication. 

Physical security keys are small devices that can help protect your online accounts from being hacked. When you log in to your account, you have to insert the key and press a button on it to complete the login process. This makes it hard for hackers to steal your password or trick you into giving it away. Even if you accidentally go to a fake website, the security key won't work and your account will stay safe.

1.2 Million users Affected by GoDaddy Data Breach

 

GoDaddy, the web hosting provider, has announced a data breach as well as warned that data on 1.2 million clients might be compromised. 

GoDaddy Inc. is a publicly listed American Internet domain registration and web hosting firm based in Tempe, Arizona, and incorporated in Delaware. GoDaddy has over 20 million clients and over 7,000 employees globally as of June 2020. 

Demetrius Comes, GoDaddy's chief information security officer, said in a statement with the Securities and Exchange Commission that the business discovered unauthorized access to its networks in which it hosts and administers its customers' WordPress servers. 

WordPress is a web-based content management system that millions of people use to create blogs and web pages. Users can host their WordPress installations on GoDaddy's servers. 

According to GoDaddy, an unauthorized user gained access to GoDaddy's systems around September 6th. GoDaddy stated that the breach was detected last week, on November 17. It is unclear whether the hacked password was secured using two-factor authentication. 

According to the complaint, the hack impacts 1.2 million current and inactive WordPress users, whose email accounts and customer numbers were disclosed. According to GoDaddy, this disclosure may put users at increased risk of phishing attacks. As per the web host, the initial WordPress admin password generated while WordPress had been installed, which could be used to manage a customer's WordPress server, had also been exposed. 

Active users' FTP credentials (for file transfers) as well as the login information for their WordPress accounts, that store all of the user's content, were compromised in the incident, according to the business. In certain situations, the user's SSL (HTTPS) private key was revealed, which might allow an attacker to mimic the customer's website or services if misused. 

According to GoDaddy, it has updated client WordPress passwords and private keys and is now in the process of providing new SSL certificates. Meanwhile, Dan Race, a GoDaddy spokeswoman, refused to respond, citing the company's ongoing investigation.

DeFi Platforms PancakeSwap, Cream Finance hit by DNS Attack

 

DeFi platforms PancakeSwap and Cream Finance cautioned clients on Monday that they were hit by domain name system (DNS) hijackings. The strong alerts were given via social media in an offer to hold clients back from succumbing to dual schemes to collect private keys or seed phrases from would-be victims. Such data obtained by this sort of phishing plan would then permit a hacker to then steal funds from affected users. 

As of press time, PancakeSwap has said that it has recovered admittance to its DNS. Cream Finance seemed, by all accounts, to be currently looking for DNS access, guiding clients to an alternative address in the meantime. A DNS hijacking permits an attacker to introduce a false web portal to visiting users, regularly aimed toward gathering individual data - for this situation, the private keys needed to steal their funds. The U.S. government and private security firms have given alerts as of late about such assaults, as noted in a 2019 report by Krebs on Security. 

Exact technical details regarding how attackers figured out how to modify DNS records for the two sites are still shrouded in mystery, but as security researcher MalwareHunterTeam brought up recently, the two organizations dealt with their DNS records through web facilitating organization GoDaddy. While there is the likelihood that the attackers compromised web hosting accounts for both companies in separate incidents, there is likewise the likelihood that attackers may have compromised a GoDaddy employee’s account to change DNS server records and execute the attack. 

The latter scenario happened twice before last year, in March and November 2020, with assailants executing a phishing assault against GoDaddy employees to gather their work credentials and afterward utilize official GoDaddy accounts to alter DNS records for multiple cryptocurrencies and domain hosting-related sites. Casualties of the past assaults incorporated any semblance of Escrow.com, Liquid.com, NiceHash.com, Bibox.com, Celsius. network, and Wirex.app. Phishing assaults focusing on web facilitating accounts have become common since the beginning of 2019 when FireEye uncovered an Iranian state-sponsored hacking group behind a global DNS hijacking campaign. 

The campaign included the Iranian hackers phishing their targets for web facilitating related accounts and afterward utilizing a DNS hijack attack to divert traffic for email servers through infrastructure constrained by the attackers, permitting them to phish employees and read their emails.