[BreachExchange] GoDaddy Hack Breaches Hosting Account Credentials

Destry Winant destry at riskbasedsecurity.com
Wed May 6 10:31:27 EDT 2020 

https://threatpost.com/godaddy-hack-breaches-hosting-account-credentials/155475/

The domain registrar giant said that the breach started in October 2019.

UPDATE

GoDaddy, the world’s largest domain name registrar, is warning
customers that attackers may have obtained their web hosting account
credentials.

An “unauthorized individual” was able to access users’ login details
in an intrusion that the company said took place back in October — the
company told Threatpost that the issue was discovered on April 23.

The company said that the breach only affected hosting accounts, not
general GoDaddy.com customer accounts, and that no customer data in
the main accounts was accessed. The Scottsdale, Ariz.-based company
has more than 19 million customers worldwide, but only 28,000 were
affected by the attack.

The company didn’t confirm how long the attacker had access to the
credentials. GoDaddy did give Threatpost a comment:

“On April 23, 2020, we identified SSH usernames and passwords had been
compromised by an unauthorized individual in our hosting environment,”
a spokesperson told Threatpost. “This affected approximately 28,000
customers. We immediately reset these usernames and passwords, removed
an authorized SSH file from our platform, and have no indication the
individual used our customers’ credentials or modified any customer
hosting accounts. The individual did not have access to customers’
main GoDaddy accounts.”

Meanwhile, “we recently identified suspicious activity on a subset of
our servers and immediately began an investigation,” the company said
in a data-breach notice filed with the California Attorney General,
obtained by media. “The investigation found that an unauthorized
individual had access to your login information used to connect to SSH
on your hosting account. We have no evidence that any files were added
or modified on your account. The unauthorized individual has been
blocked from our systems, and we continue to investigate potential
impact across our environment.”

SSH is typically used to log into a remote machine and execute
commands, but it’s also used to transfer files using the associated
SSH file transfer (SFTP) or secure copy (SCP) protocols.

“GoDaddy indicates that the customer accounts were breached in October
of 2019, however, has apparently only just now detected the compromise
and notified customers,” Chris Clements, vice president of solutions
architecture at Cerberus Sentinel, said via email. “If this is the
case, it means the attacker had control of GoDaddy customer hosting
accounts for about seven months before they were discovered. GoDaddy
stated to the affected customers that ‘we have no evidence that any
files were added or modified on your account,’ however it seems highly
implausible that an attacker would have access for that long without
attempting anything nefarious.  It just doesn’t add up. GoDaddy should
provide more information into the investigation and evidence to
support this claim as well as explain why it took almost half a year
to detect.”

The company also said that it launched an investigation “immediately”
upon discovering the breach, but didn’t say how the attack was carried
out. Threatpost has asked for any technical details on the incident.

In response to the incident, GoDaddy has reset affected users’
passwords: “We have proactively reset your hosting account login
information to help prevent any potential unauthorized access…out of
an abundance of caution, we recommend you conduct an audit of your
hosting account.”

This is only GoDaddy’s most recent data breach – in March an attacker
phished an employee to gain access to GoDaddy’s internal support
system, and went on to change at least five customer’s domain name
entries.

“It’s a terrible security practice, but it’s also not uncommon for
support technicians to enter sensitive information such as account
passwords into notes in their ticket tracking systems,” Clements said.
“It’s not hard to imagine that with access to an internal support
system that attackers could have exfiltrated as much of the ticketing
system data as possible to later comb through for other avenues of
attack.  While this hasn’t been confirmed, it would easily explain the
source of the new attacks.”

GoDaddy also exposed high-level configuration information for tens of
thousands of systems (and competitively sensitive pricing options for
running those systems) in Amazon AWS back in 2018, thanks to yet
another cloud storage misconfiguration.

More information about the BreachExchange mailing list