OhNoDaddy: GoDaddy Compromised
by lg0p89
Everyone knows of GoDaddy (www.godaddy.com) and their services. Years ago, the business became a household name with their commercials. Since this time, the business has grown and become a bit more conservative, as evidenced by their website. This growth has made GoDaddy the world's largest domain registrar with 19 million customers, seven million managed domains, and millions of hosted websites. In comparison to GoDaddy's peers, this is huge.
Breach
The short summary is that there was a data breach focused on the web hosting account credentials. This is a rather serious issue for GoDaddy. With the amount of data held with the credentials and other confidential information held by GoDaddy from their clients, the targeting was no surprise.
The breach came to light in an indirect manner. The breach itself was not identified, but odd activity was detected on a portion of the GoDaddy servers on April 17, 2020. Six days later on April 23, 2020, the customers affected were identified.
The breach itself allegedly occurred on October 19, 2019, or over six months earlier, per the State of California Department of Justice. A notice was filed per the California Civil Code section 1798.29(e). This was disclosed by GoDaddy on May 4, 2020. The business only published and began to inform the affected persons in early May.
This was confirmed by Demetrius Comes, the CISO and vice president of engineering.
Method
Naturally, GoDaddy initiated an investigation. The parties concluded that the unauthorized person acquired the login credentials. This meant they could connect via SSH for the compromised accounts. The access makes the attack specifically useful. Until the password was reset, the least the attacker could do would be to modify the websites with profane language, or inappropriate images.
Scope
Fortunately, this did not affect all the accounts. It did affect approximately 28,000 customers. This affected only the hosting accounts and did not involve the customer accounts, main GoDaddy customer accounts, or the personal information held within these. They do note, for what it's worth, that it does not appear any files were modified or added to the affected accounts. They were not able to definitely state if any of the files had been viewed or copied though. The latter is really where the issue is focused. If the files had been modified, this is clearly not a good thing. Since the business doesn't know if they were viewed or copied, the conservative view is that they were at least viewed and should be treated as such.
Mitigations
The business did take the conservative route, fortunately, and presumed there was the access. To remove future issues on this specific point, the affected hosting account logins were toggled to require a reset. To assist and answer questions for the customers so that the help line was not inundated, an email was sent to the affected customers directing them to log in, giving them the procedures to follow. Without the reset, the customers would not have access to their hosting account. GoDaddy also, as a follow-up, had the customers audit their hosting accounts for any anomalies. One possibility was that admin accounts were created by the unauthorized attacker.
When Will This Be Over?
While the incident began over six month earlier and the forensic work had been mostly completed, the investigation continued. While it does appear that GoDaddy's actions halted the attacker's potential for access, GoDaddy is continuing to evaluate the breach's effect across its environment. GoDaddy is not releasing much other information than what has been published already, unfortunately. The disclosure would be useful, as the other persons in the industry could learn from this.
Issues
Indeed, the breach on its own is an issue for obvious reasons. There are other significant and legitimate concerns though.
One of these is the fact that it is not known how many customers actually are aware that their web hosting account credentials have been compromised. This is a problem in that while the affected GoDaddy customers are unaware of their credentials floating through the Internet we know and love, these may be used for malicious activities. In theory, if they wanted to bother the customers, they could log in, change the credentials and other information, and make it very difficult for the authentic owner to log into their account, unless funds were to exchange hands. They may also access other information which they could use to the real owner's detriment.
To investigate these matters certainly takes a significant amount of time. The evidence would be sparse and possibly spread among different systems, and difficult to correlate. The well-versed attacker would also attempt to remove their footprint from the attack(s) to further complicate the detection and forensic work. With all the factors combined, this is not such a simple task. Bearing this in mind, GoDaddy should have detected this well before the end of April 2020. Perhaps their Security Information and Event Management (SIEM) should have picked up some form of anomalous activity prior to the over six month mark. Having customers' private information on sale or possibly being used for other unauthorized purposes is not acceptable. Once the baseline breach information was accumulated and work done forensically on the system, the users should have been notified. Granted, this should not have been immediate, but it should have been done at the appropriate time. It appears that this time was extended for some reason. Possibly the business wanted to be conservative and wait an extended period in the hope that other evidence would come to rise. Instead of attempting to balance this, the customers really should have been notified earlier.
GoDaddy is offering a year of complimentary security and malware removal for the affected customers, which it should. A year, though, is a minimum amount of time. If I were the attacker, I now know what the benchmark is and would game the system with starting the individual attacks a year and a few days later.
Trend?
This isn't the only oversight reported in this period. On March 31, 2020, the illustrious yet distinguished Brian Krebs reported a GoDaddy staff member was a victim of a spear phishing attack. The attack, post establishing a foothold, pivoted and successfully attacked a limited number of other GoDaddy domain customers.
Last year also, attackers used hundreds of compromised GoDaddy accounts to create 15,000 subdomains. A portion of these were designed to impersonate popular website accounts or to redirect possible victims to spam pages. Earlier in 2019, GoDaddy was inserting JavaScript into its U.S. customers' websites without their authorization.
In 2018, GoDaddy publicly exposed high-level configuration data for tens of thousands of systems in AWS. This was due to a cloud storage misconfiguration.