The cybercriminals were able to infiltrate GoDaddy’s systems and operate undetected for a span of three years.

GoDaddy, the internet domain registrar, has made a public statement acknowledging a cyberattack on its infrastructure that is speculated to be part of a wider chain of incidents that trace back to 2020.

As a formal requirement for listed entities in the U.S., the company has disclosed the specifics of these attacks in its annual report, which is commonly referred to as Form 10-K.

What happened?

During December 2022, it was discovered by experts that an unapproved third party had managed to infiltrate GoDaddy's cPanel hosting servers and implanted malicious software. As a result, certain customer websites were periodically redirected to harmful websites without warning or pattern.

URL redirection: the secret ingredient

It is a widely used practice for various purposes to legitimately utilize URL redirection within HTTP.

• Gaining entry to a firm's web redirection settings is a way to hack into their web servers without making direct modifications to the content stored on the servers.
• The server's data remains unaltered when the hackers subtly redirect server requests to content that is set up in a different location.
• In case someone scrutinizes the access and upload logs to detect any indication of illicit logins or unauthorized modifications to the website's HTML, CSS, PHP, and JavaScript files, they are unlikely to find anything abnormal since the hackers were able to redirect the traffic to a different location, without altering the original data on the company's server.

What's more concerning is that hackers often initiate malicious URL redirects intermittently, making it challenging to detect their deceitful activity. This is precisely what seems to have happened in the case of GoDaddy's cyberattack.

Connecting the dots

As per the company's official filing, an attack in March 2020 resulted in the unauthorized access of login credentials belonging to around 28,000 hosting customers, as well as a few personnel.

In addition to this, GoDaddy's hosted WordPress service was also compromised in November 2021.

Conclusion

It took GoDaddy nearly three months to disclose the cyberattack, and details about the incident are limited. If you have visited a website hosted by GoDaddy since December 2022, there are no Indicators of Compromise (IOCs) to identify the attack. Although GoDaddy has referred to the breach as recent, the company's Form 10-K filing indicates that the cyberattack could have been ongoing for an extended period.