Hackers stole supply code, put in malware in multi-year breach

Webhosting large GoDaddy says it suffered a breach the place unknown attackers have stolen supply code and put in malware on its servers after breaching its cPanel shared internet hosting atmosphere in a multi-year assault.

Whereas GoDaddy found the safety breach following buyer experiences in early December 2022 that their websites have been getting used to redirect to random domains, the attackers had entry to the corporate’s community for a number of years.

“Based mostly on our investigation, we consider these incidents are a part of a multi-year marketing campaign by a classy menace actor group that, amongst different issues, put in malware on our techniques and obtained items of code associated to some companies inside GoDaddy,” the internet hosting agency mentioned in an SEC submitting.

The corporate says that earlier breaches disclosed in November 2021 and March 2020 are additionally linked to this multi-year marketing campaign.

The November 2021 incident led to an information breach affecting 1.2 million Managed WordPress clients after attackers breached GoDaddy’s WordPress internet hosting atmosphere utilizing a compromised password.

They gained entry to the e-mail addresses of all impacted clients, their WordPress Admin passwords, sFTP and database credentials, and SSL non-public keys of a subset of energetic shoppers.

After the March 2020 breach, GoDaddy alerted 28,000 clients that an attacker used their webhosting account credentials in October 2019 to hook up with their internet hosting account by way of SSH.

GoDaddy is now working with exterior cybersecurity forensics consultants and legislation enforcement businesses worldwide as a part of an ongoing investigation into the basis reason behind the breach.

Hyperlinks to assaults focusing on different internet hosting corporations

GoDaddy says it additionally discovered further proof linking the menace actors to a broader marketing campaign focusing on different internet hosting corporations worldwide through the years.

“We now have proof, and legislation enforcement has confirmed, that this incident was carried out by a classy and arranged group focusing on internet hosting companies like GoDaddy,” the internet hosting firm mentioned in an announcement.

“In line with info we’ve got acquired, their obvious aim is to contaminate web sites and servers with malware for phishing campaigns, malware distribution and different malicious actions.”

GoDaddy is likely one of the largest area registrars, and it additionally supplies internet hosting companies to over 20 million clients worldwide.

A GoDaddy spokesperson was not instantly out there for remark when contacted by BleepingComputer earlier at this time

Replace February 17, 12:59 EST: Added extra information on breaches linked to the multi-year marketing campaign focusing on GoDaddy and different internet hosting companies.