Several GoDaddy customers using its Managed WordPress hosting service were exposed due to a data breach that exposed SSL keys – likely affecting a large number of customers. It has prompted concerns about attackers hijacking domains for the purpose of deploying ransomware or spoofing them in order to steal credentials and other harmful activities.
GoDaddy, one of the world’s largest domain registrars and hosting providers, announced on November 17th a data breach involving the data of 1.2 million active and inactive Managed WordPress customers. Included in the exposed data were the customer number and email address associated with the WordPress accounts; the default WordPress admin password which had been set at the time the account was created; as well as usernames and passwords associated with SFTP and the database. According to a regulatory filing with the Securities and Exchange Commission, GoDaddy disclosed that one-third of its 1.2 million customers had their SSL keys compromised.
The publicly listed group indicated that they had reset all affected passwords and were redeploying new certificates to clients whose SSL keys were compromised. According to GoDaddy’s officials, the attackers accessed the certificate provisioning system using a compromised password in GoDaddy’s legacy code base for Managed WordPress. The researchers discovered that the attackers gained access to the system on 6th September and continued to do so undetected for more than 70 days, until 17th November.
"We apologise for this incident and our customers' concerns. We will learn from this incident and are strengthening our provisioning system with additional layers of protection."
Demetrius Comes: Chief Information Security Officer at GoDaddy
There is no word on how customer satisfaction will be affected by these assurances given GoDaddy’s security woes over the past two years. The company reported about 28,000 customers were affected by a data breach in May 2020. While the breach was detected in April of the following year, it occurred in November 2019. As a result of social engineering, employees of the firm provided scammers with control of domains belonging to a small number of customers on at least two other occasions last year.
Future-Proofing Cyber Security
Among the biggest concerns with its new data breach is the possibility that attackers may use their SSL credentials to impersonate legitimate websites in order to steal credentials or distribute malware. Security experts warn that attackers may attempt to hijack a domain name and extort a ransom for its return if they possess such keys.
Nick France, CTO of SSL at Sectigo, says affected companies should replace their existing certificates with new ones. They should ensure the original certificates are revoked and a brand-new private key is generated. It is generally possible to revoke a certificate within 24 hours, and a compromised key can be replaced within five days. The company was the one issuing the keys, so it would be the one revoking and reissuing them if all of the keys were issued by the company.
"It is not clear whether all certificates and keys compromised have come from GoDaddy CA or if other certificates have also been compromised. Until we know what the makeup of the compromised certificates looks like — who they were for and who issued them — it's difficult to say exactly who needs to take action."
Nick France
Murali Palanisamy, Chief Solutions Officer at AppViewX, says incidents such as the breach at GoDaddy highlight the need for organisations to have a platform that automates the process of revoking certificates and issuing new ones. Furthermore, incidents of this type suggest that organisations might benefit from using short-lived digital certificates to ensure that even if keys are compromised, attackers are restricted in their ability to exploit them.
“Typical certificates are valid for a year,” Palaniswamy says. An exploit would give hackers more than six months of valid certificates if there is an exploit halfway through the certificate’s life. “A short-lived certificate like LetsEncrypt is valid for 90 days and gets automatically renewed,” he says. Depending on the situation, he says, these certificates can be reduced to only 30 days. “With a short-lived certificate of 30 days,” he adds, “there’s a shorter window of time that could be used to craft a sophisticated attack on an exploited certificate.”
If you want to alleviate future hacks, please do not hesitate to get in touch with our team here at Mitigate Cyber. We offer a range of cyber security solutions, from threat mitigation to testing, training and much more.