GoDaddy Hosting Breach Undetected For 6 Months
GoDaddy Inc. has suffered a data breach affecting the web hosting accounts of 28,000 customers. The data breach involved an unknown person accessing accounts using Secure Shell or SSH cryptographic network protocol in October. It was only discovered late last month when GoDaddy noticed suspicious activity on several servers. Affected customers have had their hosting account login information reset to prevent further access and have been advised to conduct an audit of their hosting accounts to make sure that everything is in order.
GoDaddy is sending notices to customers to alert them of a hosting security breach. The security breach is described in vague terms by GoDaddy as an individual obtaining log-in information that could have given the hacker the ability to upload or change website files.
SSH Access Breach
SSH is known as Secure Shell. It’s a secure protocol used to execute commands on a server as well for uploading and changing files. If an attacker has SSH access to a website, the website is compromised. It’s a cryptographic network protocol for operating network services securely over an unsecured network. It is typically used to log into a remote machine and execute commands, but can also be used to transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols.
In general, only admin level users should have SSH access because of the wide ranging changes that can be made to the core files of a website. GoDaddy announced that an unknown attacker had compromised some of their servers.
Official GoDaddy email statement:
“The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account.”
“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment.”
“This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”
How Was SSH Compromised?
According to GoDaddy, the compromise in SSH began in October 2019 and was discovered in April 2020.
Beyond the general statement of when the breach happened and that it had something to do with SSH, GoDaddy does not appear to have disclosed any further information.
- GoDaddy does not say if this is a new vulnerability.
- GoDaddy did not say if it was from a known vulnerability from October 2019 that had gone unpatched.
The only thing GoDaddy admitted was that servers were compromised by a third party on October 2019 and it went undetected for six months.
October SSH Vulnerability
A search for SSH vulnerabilities shows that a severe vulnerability was discovered in OpenSSH 7.7 through 7.9 and all version of OpenSSH 8 up to 8.1.
The vulnerability in OpenSSH was fixed 10/09/2019 in version 8.1. That date coincides with the October 2019 date that GoDaddy confirmed as the date when their hosting servers were compromised.
GoDaddy has not confirmed if the above is the vulnerability.
The report is filed at the United States Government National Vulnerability Database report CVE-2019-16905
But the vulnerability was discovered and described by SecuriTeam where they have a full disclosure.
There are still some unknowns about the data breach. “It’s unclear whether GoDaddy’s reported incident was because of the reuse of previously stolen credentials or from brute force attacks,”said Matt Walmsley, Europe, Middle East and Africa director at cloud-native protection firm Vectra AI Inc. “There have also been recent reports of GoDaddy’s support employees being successfully phished, which might be connected. Regardless of how the unauthorized access was gained, it’s a sharp reminder that the monitoring of how privileged credentials are used, not just granted, can make the difference between detecting an active attack and being blissfully ignorant to a breach.”