My personal engagement with Godaddy last week confirms the cyber-attack that they say affected mainly the Managed WordPress – giving quick assurances that the IT team is working to resolve the issue.
Cybersecurity concerns are national security concerns. The attacks happen at different levels: be it personal, organisational or national. Happenings around the world should be a warning sign to us all, and a wake-up call especially to our institutions. For the benefit of readers, GoDaddy is a leading Domain name and Website Hosting Service Provider for millions of customer around the world.
In fact, the recent publication in the Graphic newspaper of reports from the cybercrime unit of Ghana Police Service indicates the vulnerabilities out there. Yes, as a cybersecurity advocate, I know and its common knowledge that in the cyber space one cannot be 100% secured. However, there are strategic measures which can be adopted at all levels to try and prevent and also mitigate the impact if an attack should happen.
The Statement
November 22, 2021
GoDaddy Announces Security Incident Affecting Managed WordPress Service
On November 17, 2021, we discovered unauthorised third-party access to our Managed WordPress hosting environment. Here is the background on what happened and the steps we took, and are taking, in response:
We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm, and contacted law enforcement. Using a compromised password, an unauthorised third party accessed the provisioning system in our legacy code base for Managed WordPress.
Upon identifying this incident, we immediately blocked the unauthorised third party from our system. Our investigation is ongoing, but we have determined that – beginning on September 6, 2021, the unauthorised third party used the vulnerability in gaining access to the following customer information:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risks of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials are still in use, we reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
- For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Our investigation is ongoing, and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help-centre (https://www.godaddy.com/help), which includes phone numbers based on country.
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident, and are already taking steps to strengthen our provisioning system with additional layers of protection.
Demetrius Comes
Chief Information Security Officer
Ref: https://www.sec.gov/
Let me share some insights from an article by Tara Seal. Several questions arise as to what the vulnerabilities were that could have allowed this to happen.
“The key question is, ‘was multifactor in use?’ “With this breach being caused by a compromised credential, I wouldn’t imagine the log-in was protected by multi-factor authentication, which is an element that could have caused this breach,” Randy Watkins, CTO at Critical Start, said via email. “Moving forward, key and password management is crucial. Applying least-privilege where applicable can lessen the impact of a compromised credential, but it’s still best to protect every log-in with MFA and monitor service accounts that don’t support MFA.”
Impact and Threats
When it comes to the ramifications for those affected, follow-on phishing is the obvious thing to watch out for – as flagged by GoDaddy in its announcement. But other issues should also be considered, researchers said.
“This breach could mean a few things for users,” said Watkins. “There is a chance that keys or credentials could be used to gain access or impersonate customer sites. Either of these scenarios could lead to a compromise of those organisations’ [customers’] data as well. While this breach would just be an inconvenience for most, others may have serious brand damage from impersonated sites or an actual breach.”
According to Murali Palanisamy, chief solutions officer for AppViewX, compromised SSL private keys and certificates could also allow hackers to hijack a domain name and use it to extort ransom for its return.
“They can also redirect users to what appears to be an identical website and deploy malware, or collect user credentials and credit-card information and much more,” he said via email. “All of these threats are extinction-level events.”
He added that while GoDaddy is working to update the SSL certificates, it will take time to accomplish this; so customers might want to take matters into their own hands.
“To mitigate current vulnerabilities, customers of GoDaddy need to check that the certificates are updated and change the passwords for sFTP access to new and unique numbers, letters and symbols,” he said. “I’d also recommend incorporating a cryptographic agility capability, which will enable a quick rollover of certifications and keys.”
Long-term, users could also incorporate short-lived automated certificates.
“This way, if the keys are compromised they are not used by attackers, and the window of opportunity for such sophisticated attacks is reduced,” he said. “Customers of GoDaddy should monitor for unusual activity and report any red flags to government/FTC as soon as possible.”
These impacts and possible threats outlined here should sound a caution to us here in Ghana. Our own cybersecurity authority will have to collaborate with various stakeholders as soon as possible to deliberate on the way forward. Aside from the authority, as I have been calling for, is the need for a strong coalition of private sector players in IT, Insurance and Training to engage on cybersecurity matters.