Last updated August 19, 2022
Summary:
- In 2021, GoDaddy’s Managed WordPress hosting environment was accessed by an unauthorized third party using a compromised password.
- The hack accessed the personal data of an estimated 1.2 million Managed WordPress customers, exposing them to potential phishing attacks.
- Other web hosting providers are also vulnerable to these attacks, which fall into three categories: general web hosting vulnerabilities, shared hosting vulnerabilities, and VSPs and cloud-hosting vulnerabilities.
- Following website best practices, creating an incident response plan, and investing in cybersecurity training for employees can minimize your organization’s risk and help you avoid similar threats.
On November 22, 2021, the hosting platform GoDaddy revealed that an unauthorized third party had accessed their Managed WordPress hosting environment. Unfortunately, GoDaddy isn’t unique; many hosting providers remain vulnerable to similar attacks. In this article, we will discuss what is known about the incident so far.
What We Know About the Attack So Far
GoDaddy responded swiftly and effectively, working with law enforcement and an IT forensics firm to thoroughly investigate the incident and take appropriate steps to safeguard users.
What Happened?
On November 17, GoDaddy identified suspicious activity inside their Managed WordPress hosting environment, triggering an internal investigation with the help of an IT forensics firm. It was later determined that an unauthorized third party had used a compromised password to access the provisioning system for their Managed WordPress legacy codebase.
In response to this troubling discovery, GoDaddy immediately blocked the unauthorized third party from their system and began alerting affected users.
So far, the investigation reveals that the unauthorized third party had been using these compromised credentials to gain access to the system beginning on September 6, with a goal of obtaining private customer information, including:
- The email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress customers were accessed, which the company said may increase the chances of phishing attacks.
- The original WordPress Admin passwords set on these accounts, which were also exposed. As a preemptive measure, any account still using its original WordPress Admin password was subject to a password reset.
- SFTP and database usernames and passwords of active users. Once this was discovered, GoDaddy immediately reset the passwords on these accounts.
- The SSL private keys of a subset of active customers. To address this, GoDaddy immediately began issuing and installing new certificates on affected accounts.
Six Additional Web Hosting Providers Impacted
GoDaddy has also revealed that six other web hosts have been impacted by this incident. All six are European resellers of GoDaddy’s Managed WordPress hosting services and include:
What is GoDaddy Doing to Address the Situation?
The investigation is ongoing, and in addition to the actions outlined above, all impacted customers will be contacted directly by the GoDaddy team and provided with specific details. Customers can also contact the GoDaddy team via their online help center, which also includes country-specific phone numbers.
It Isn’t Just GoDaddy; All Hosting Providers Are Vulnerable
While GoDaddy is currently in the spotlight, incidents like this are hardly unique to one hosting provider. Cybercriminals frequently target websites, and many of those attacks are targeted at web hosting accounts.
Common web host vulnerabilities fall into three main categories: general web hosting vulnerabilities, shared hosting vulnerabilities, VPS and cloud hosting vulnerabilities:
General Web Hosting Vulnerabilities
Botnet-Building Attempts
This is when attackers attempt to use publicly available exploits to hijack your web servers and use your infrastructure as part of a botnet (connected computers instructed by a third party to perform repetitive tasks) to attack other organizations.
Less secure web hosting providers are particularly vulnerable. However, once these vulnerabilities are discovered, they are typically patched fairly quickly.
DDoS Attacks
DDoS (distributed denial of service) attacks flood web servers or other online services with traffic in an attempt to crash the system. This can be done either by a large group of cybercriminals or a single criminal commanding a botnet. The goal of DDoS attacks is to overload the server and prevent legitimate users from accessing a company’s services or products.
Web Server Misconfigurations
Many basic website owners, particularly those using low-cost shared hosting, often have no idea whether or not their servers have been correctly configured. This is problematic because misconfigured servers are often left vulnerable and may be running unpatched or outdated applications.
Incorrectly configured servers may also be unable to accurately verify access rights, and hiding restricted functions or links to the URL alone is unlikely to deter attackers. This is because attackers are likely technologically savvy enough to guess the probable parameters and typical locations of this sensitive information and then simply use brute-force attacks to gain access.
Shared Hosting Vulnerabilities
If having your own server is like owning a single-family home, shared hosting environments act more like apartment buildings, where each account has its own unit within the larger structure. Unfortunately, that means a single attack can impact all of the accounts on a single server.
Non-Siloed Environments
Organizations that op for shared hosting accounts are particularly vulnerable because these types of accounts exist like large pools of data. Though each account is allocated its own select resources, they all exist within a single environment, so all data, content, and other files occupy the same space and are only divided based on the file structure.
Since all of this data is stored in one location, shared hosting sites are intrinsically linked. This means that if an attacker is able to access the main directory, all sites within the pool may be at risk, and a single compromised account could provide the attacker with a way into the supposedly closed system.
Software Vulnerabilities
All types of hosting accounts can contain software vulnerabilities, but shared servers are typically more at risk. This is because the large number of accounts per server means that each server is likely to host a variety of different applications, each of which will need to be updated regularly to take advantage of security patches and other updated security measures. A single unpatched or out-of-date application may leave the entire server vulnerable.
Malware (Including Ransomware)
Malware, and particularly ransomware, is a growing problem. Though a ransomware attack may target any hosting provider, shared hosting servers are particularly ill-adapted to contain such an attack. Because multiple accounts are hosted on a single server, it is easy for a ransomware attack to spread from one company’s account and infect the rest of the accounts on the same server.
Shared IP Addresses
Shared hosting accounts also share IP addresses, with multiple sites typically being identified by a single IP address, much like all units in a single apartment building share one street address. Unfortunately, this means that if one account is compromised and begins sending out spam or otherwise behaving badly and is blacklisted by a company or service, all other sites sharing that IP address will be blacklisted as well.
This is problematic because getting an IP address removed from a blacklist is typically quite difficult, and organizations are unlikely to cooperate if one of the accounts attached to that IP address continues to behave badly or disregard the organization’s terms of service.
VPS & Cloud Hosting Vulnerabilities
Though virtual private servers (VPS) or cloud hosting options are typically more secure than shared hosting options, they are still vulnerable. Attackers often target these types of hosting accounts because of the advanced interconnected nature of these servers, presenting a lucrative payday for hackers. As such, these types of attacks are also typically carried out by more experienced attackers using advanced methods.
Cross-Site Security Forgery
Cross-site security forgery, also called cross-site request forgery (CSRF), is a flaw that generally affects websites built using unsecured or poorly secured infrastructure. For convenience, many users save their credentials on select platforms, which can be a risky decision if the corresponding website is not secure.
During a CSRF attack, the end-user is forced to execute an unwanted action, such as automatically transferring funds, on a web application in which they are currently authenticated. Using social engineering (such as sending a compromised link via chat or email), an attacker may be able to trick users of a specific web application into doing what the attacker wants without the attacker having to bother trying to determine a username or password.
This works because the attacker has already queued up the action they wish to perform (such as transferring funds) and because the credentials are saved when the unsuspecting user clicks the link, they are automatically logged in (because their credentials are saved), and the application will go ahead and complete the action before the user is even aware of what happened.
This can be particularly devastating on admin accounts and can compromise the entire web application.
SQL Injections
SQL injections work by extracting data, such as customer information or financial data, from a system as the data is sent to and from your database server. If this route is not secure, attackers can insert SQL scripts into the infrastructure and scan all data queries before they even reach the server.
This attack works like a postal delivery worker opening and reading all of your mail and copying down any private information they discover before delivering your letters and parcels.
Exploiting XSS Flaws
Harmful XSS-based scripts are small programs that can be used to either access confidential information or redirect legitimate users to fraudulent websites.
Though this attack is most commonly used by attackers looking to capture usernames and passwords or trick users into entering their credit card number or other sensitive information into a fraudulent website (such as one that is designed to look almost exactly like your bank’s website), this technique can also be used by organizations to carry out fraudulent business operations.
Insecure Cryptography
Cryptography algorithms typically rely on random number generators, but not all random number generators are made equal, and some random number generators may produce easily guessable numbers which attackers can use to their advantage.
Virtual Machine Vulnerabilities
Multiple virtual machines can be run on top of hypervisors in physical servers. However, if there is a vulnerability in the hypervisor, attackers may be able to infiltrate the system remotely and gain access to all virtual machines hosted on a physical server. Though this type of attack is rare, it is still possible, and organizations that use virtual machines should take appropriate steps to safeguard their infrastructure.
Supply Chain Weaknesses
One of the benefits of cloud hosting is resource distribution, but unfortunately, this can also be a source of vulnerabilities. If not all organizations in the cloud supply chain are as studious as your organization about security, they could leave the entire chain vulnerable.
Insecure APIs
APIs (application user interfaces) are designed to help streamline cloud computing processes, but they can allow attackers to easily infiltrate your cloud infrastructure if they aren’t secured properly.
Reusable components are incredibly popular, which can make it difficult to safeguard your organization against this type of attack. In an attempt to gain unauthorized access, an attacker can simply try basic access attempts repeatedly until they find a single vulnerability that allows them into the system.
Steps You Can Take to Protect Your Organization & Your Website
In the modern era, it is an unfortunate truth that it isn’t so much if your organization will experience a cybersecurity incident, but when. Luckily, there are steps you can take to safeguard your website and your organization as a whole.
Website Best Practices For Static Sites
One of the best things you can do to safeguard your website is to make sure you are following website security best practices.
If you have a static site, you should ensure that you have an SSL certificate and keep your software up to date. You should also keep an eye on your website using uptime monitoring programs so that you are altered any time your site undergoes an unexpected content change.
By keeping an eye on your website, you can quickly learn if an incident has occurred, allowing you to mitigate or even prevent damage if your website is defaced or otherwise compromised.
For WordPress or Other Database Websites (Like Those Impacted by the GoDaddy Attack)
There are a few things you can do to better safeguard your WordPress website. This includes implementing a robust username and password policy and adding multi-factor authentication. If you need to store passwords on your website for any reason, you should ensure that all passwords are encrypted, and you may want to consider using OAuth or another third-party identity management site.
You should also consider implementing rate limiting or limiting user logins based on the number of failed login attempts. This can help safeguard your website from brute-force attacks. You should also strongly consider changing your admin username from the default “Admin” to something harder to guess.
Rate limiting can help safeguard your website from botnets involved in brute force attacks. Rate limiting allows users almost unlimited login attempts but artificially installs a delay between each attempt. Even a seemingly insignificant delay of a second or two can slow down a brute force attack, buying your organization more time for someone to notice something is amiss and take appropriate action.
You should also seriously consider changing your login path from the default URL. WordPress is the most commonly used content management system on Earth, and many WordPress websites continue to use the /wp-admin/ login path. As such, attackers may use this knowledge to quickly locate and access your login page. By making the login page harder to find, you can help dissuade attackers or at least buy your team more time to respond.
Interview Your Hosting Provider & Review Your SLA Carefully
The GoDaddy security incident has demonstrated how much a website’s security depends on the security of its hosting provider. Though life, and cybersecurity, in particular, offer no guarantees, here are a few questions you should ask your hosting provider in light of this recent attack.
- Ask your hosting provider how they monitor their network. Suspicious activities can’t be stopped if they aren’t detected, so you want to make sure your hosting provider is carefully monitoring their internal network by asking them how their network is monitored, who is responsible for monitoring, and what sort of red flags they are actively looking for.
- Ask about their antivirus and malware scanning and removal processes. Malware continues to be a threat, so you need to know what sort of malware protection your host offers and what steps they take to secure your website. You should also ask if their support team is scanning your account and request a copy of these internal reports. You also need to be clear on what will happen if your account is infected and what steps your hosting provider will take to help you identify and remove malware on your website.
- Don’t forget SSL, firewalls, and DDoS prevention. You should also ask your provider what sort of protocols they have in place to prevent cyberattacks like the one experienced by GoDaddy. You should also find out if your hosting provider offers SSL certificates or if that is something your team will need to handle. Most providers don’t handle SSL certificate implementation, but they do need to provide you with the certificate so your team can implement it.
You should be able to find at least some of this information in your SLA (service level agreement), but if the answers to any of these questions are missing, you should reach out to your contact at your hosting provider for more information.
You should also lock down your folders and subdirectories to make it more difficult for unauthorized users to access exploits or vulnerabilities associated with back-end software and upload files containing malware. You should also consider adding bot filters and maintaining an active blacklist to help you filter out bots and prevent brute-force attacks.
Create an Incident Response Plan & Invest in Cybersecurity Training for All Employees
When it comes to cybersecurity, it is always best to be proactive instead of reactive. A robust incident response plan in place will allow you to respond to attacks quickly and effectively while helping limit damage and make your recovery smoother.
For more information, please consider reading our educational guide on creating an effective incident response plan.
Beware of Possible Phishing Scams
In their statement, GoDaddy specified that customers whose email addresses were exposed are now more likely than ever to be targeted by phishing attacks. However, all organizations should ensure their employees know what sort of red flags to look for when it comes to phishing scams. To help improve your employee cybersecurity training and educate your team, please consider reviewing our educational article Don’t Let Phishing Scams Catch You Unaware.
Whether your organization has been directly impacted by the GoDaddy security incident or not, now is an excellent time to review your website’s cybersecurity best practices. For more information, or to start improving your cybersecurity stance, please contact our team today.