GoDaddy Hit with Multiyear Breach

Website hosting company GoDaddy has announced that it has been subject to a multiyear cybersecurity breach. Over the course of the campaign, threat actors were able to install malware on the company’s systems and steal code, according to a 10-K filed with the US Securities and Exchange Commission.

In a statement detailing the most recent attack, GoDaddy shared that it received customer complaints about website redirects in December 2022. An investigation into the issue revealed that malware installed in the company’s cPanel was responsible for the redirects.

Going into more detail in its 10-K, the company links this intrusion to previous cybersecurity issues. In March 2020, a threat actor compromised the login credentials of 28,000 customers. In November 2021, a threat actor was able to leverage a compromised password to access the company’s Managed WordPress code base.

“Based on our investigation, we believe these incidents are part of a multiyear campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company said in its 10-K.

How Can Multiyear Attacks Happen?

Could this type of attack have been prevented or detected sooner? “With a dwell time counted in years, not days, this breach indicates serious weaknesses in the company’s security program,” says Zane Bond, head of product at zero trust cybersecurity software company Keeper Security.

Threat actors are always searching for ways to evade cybersecurity measures. “The longer an attack goes undetected, the better chance it has to remain undetected. Even if you install AI monitoring software after the infection, the malware’s activity will be part of the normal baseline,” says Stephen Manley, CTO of data management as a service company Druva.

Who Is at Risk?

While the root cause of the GoDaddy breach is still under investigation, it is likely that many other organizations face the risk of falling prey to the same kind of attack. “Everyone is vulnerable. Multiyear breaches are typically down to either very limited detection capabilities or a threat actor that is adapting the technique they use to remain persistent. If you combine the two and add in a threat actor that leverages a ‘known good’ technique, multiyear persistent actors are more common than people probably realize,” contends Andrew Barratt, vice president at cybersecurity advisory services company Coalfire.

Growing complexity within any organization offers threat actors more opportunities for exploitation, but they are often attracted to the highest value targets. Bond points to password vaults, managed service providers and remote access tools as some of those high-value victims. “Each of these allows for a single weakness to scale the blast radius of a successful attack significantly,” he says.

The health care industry is also vulnerable to multiyear breaches, according to Manley. “First, threat actors derive more value from exfiltrating patient data than encrypting it, so they will remain hidden for extended periods of time. Second, healthcare organizations have little time to spend on security reviews, since they are always servicing patients,” he says.

What Does Recovery Look Like?

The consequences of data breaches are well known: business operations disruption, lost revenue, and reputational damage chief among them. Thus far, “these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business or operations,” according to GoDaddy 10-K.

But the investigation into the breach is ongoing, and GoDaddy will need to work through a recovery process. “It’s likely not possible to recover the environment from before the breach since they have been infected for so long. They will likely need to build a new, clean environment and move from there,” Manley says.

Can These Attacks Be Prevented?

The GoDaddy breach, along with any other publicly disclosed cybersecurity incident, is a cautionary tale for other organizations. What is their level of risk, and what can be done to prevent a similar breach?

The first step is recognizing that the risk exists. “One thing that a mature organization should be doing is incorporating this kind of attack into their threat modeling, so they are aware of how to mitigate or recover in the event of being affected themselves,” Barratt advises.

The sooner threats are discovered the sooner they can be addressed. Bond argues that threat hunting is valuable but often overlooked. “As your organization continues on its security maturity journey, do not discount the value of threat hunting compared to other advanced detection tools,” Bond says.

Traffic leaving an organization’s network can also be a telling indication of a threat that could otherwise be overlooked. “Oftentimes multiyear persistence that has adapted still has to have a route back to its command-and-control environment. So, those spurious connections leaving the network could just be worth a bit of extra investigation,” Barratt says.

Regardless of an organization’s industry, complexity and risk level, the basics matter when it comes to preventing cyberattacks. For example, Manley emphasizes the importance of multi-factor authentication and strong password management. “Given what we know about this breach, these simple things would have stopped it,” he says.

What to Read Next:

What's Next for T-Mobile After Yet Another Data Breach?

What Does a New, $45M Cyber Catastrophe Bond Mean for the Cyber Insurance Industry?

Royal Mail Posts Progress on Deliveries Following Cyber Incident Disruption