GoDaddy Announces Source Code Stolen and Malware Installed in Breach

Written by

Web hosting company GoDaddy has revealed that an unauthorized party gained access to its servers and installed malware, causing the intermittent redirection of customer websites.

“In early December 2022, we started receiving a small number of customer complaints about their websites being intermittently redirected,” the company wrote in a blog post on Thursday.

“Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.”

GoDaddy added that working with law enforcement, the company has confirmed the attack was executed by a “sophisticated and organized group” targeting various hosting services.

“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

Brad Hong, customer success lead at Horizon3.ai, said that attackers did not “hack” their way into GoDaddy but instead used known compromised credentials to log in and leave vectors for reentry.

“This supposed multi-year advanced persistent threat actor group remained undetected for so long following remediation and mitigation measures from GoDaddy’s numerous past data breach incidents,” Hong told Infosecurity in an email.

“As standard, GoDaddy pushed the onus for action right back to its consumers, advising them to audit their own websites and trust GoDaddy’s security team after trust was broken, all while offering them free ‘website security deluxe and express malware removal’ services instead of fortifying their own kingdom time and time again. Maybe they should’ve used it themselves?”

GoDaddy shared more information about the breach in a 10-K form filed on Thursday with the US Securities and Exchange Commission (SEC).

The incident comes weeks after a malicious campaign targeting victims across the Middle East and North Africa was spotted using public cloud hosting services to host malicious CAB files and themed lures to spur Arabic speakers into opening infected files.

What’s hot on Infosecurity Magazine?