Web hosting provider GoDaddy has reported a data breach that began in October 2019 and involved an attacker having persistent access to customers’ hosting accounts via SSH.
The breach did not involve customer payment information or other sensitive information in customers’ main GoDaddy accounts. Instead, the incident involved the attacker being able to connect to customers’ hosting accounts, where they control the files and content on their sites. The company said the attacker apparently did not modify any files on victims’ accounts during the intrusion.
“We recently identified suspicious activity on a subset of our servers and immediately began an investigation. The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment,” the company said in a disclosure to the California Office of the Attorney General.
Hosting providers will often give customers the ability to connect to their hosting dashboards over SHH, which provides an encrypted connection. But finding those servers is not a difficult task for an attacker, and from there it’s just a simple matter of running a brute force attack against each account, trying default or common credential pairs. Such attacks against SSH servers are very common.
“Unfortunately, while the connection established may be encrypted, the ability to connect is not very secure. A criminal could attack the SSH server using common usernames like ‘admin’ or ‘administrator’ and launch a brute force attack to guess the password to then gain access using an extensive list of common passwords. It's challenging to protect these accounts since communication is for a ‘machine to machine’ connection and not interactive user access,” said James McQuiggan, security awareness advocate at KnowBe4.
“Organizations should implement monitoring controls that can detect and alert where the unusual activity is happening, whether it is large file transfers, communication with unknown sites, or odd behavior such as adverts, pop ups, or account lockouts. These are indicators of account compromise or unauthorized access.”
GoDaddy did not disclose how many customer accounts were involved in the intrusion or whether the attackers were able to access any other portions of the company’s network. In response to the incident, GoDaddy reset all of the affected users’ hosting account passwords and is recommending that customers audit their accounts once they regain access to see if anything was modified.
Access to a victim’s hosting account would allow an attacker to add, delete, or modify any of the files associated with the site or sites the victim is hosting through GoDaddy. That could result in the deletion or modification of content on a site, which could have a number of consequences for victims, ranging from embarrassing to catastrophic, depending upon what actions the attacker took.
“This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor,” GoDaddy said in its disclosure.