On February 16th 2023, GoDaddy, a popular web hosting company, filed its annual 10-K report with the US Securities and Exchange Commission (SEC). Under the sub-heading Operational Risks, GoDaddy revealed that in December 2022, an unauthorized third party gained access to and installed malware on their cPanel hosting servers. The malware intermittently redirected random customer websites to malicious sites. URL redirection, also known as URL forwarding, is an unexceptionable feature of HTTP, and is commonly used for a variety of reasons. These include changing the company’s main domain name, shifting web content to new owners, and redirecting visitors to a temporary site for maintenance. Another important use of URL redirection is to tell visitors to reconnect over an encrypted connection. Redirect controls are used to prevent getting caught up in an never-ending redirect cycle. Having insider access to a company’s web redirection settings can be used to hack their web servers without modifying their contents directly. This means that attackers can trigger malicious redirects only every now and then, making them hard to spot. GoDaddy took nearly three months to tell the world about this breach, and there are no indicators of compromise that they can advise people to look for. This appears to be a multi-year campaign by a sophisticated threat actor group and more investigations are being carried out to discover the root cause.
Key Points:
– On February 16th 2023, GoDaddy, a popular web hosting company, filed its annual 10-K report with the US Securities and Exchange Commission (SEC).
– In December 2022, an unauthorized third party gained access to and installed malware on their cPanel hosting servers.
– URL redirection is an unexceptionable feature of HTTP, and is commonly used for a variety of reasons.
– Having insider access to a company’s web redirection settings can be used to hack their web servers without modifying their contents directly.
– GoDaddy took nearly three months to tell the world about this breach, and there are no indicators of compromise that they can advise people to look for.
– This appears to be a multi-year campaign by a sophisticated threat actor group and more investigations are being carried out to discover the root cause.
