The US Securities and Exchange Commission (SEC) has published a “Security Incident” submitted by web services giant, GoDaddy. GoDaddy says that in November 2021, it realized that there were cybercriminals in its network, kicked them out, tried to determine when the hackers got in, and what they managed to do while on the inside.
According to GoDaddy, the hackers had the following :
- Active access since early September 2021, a ten-week window.
- Acquired email addresses and customer numbers of 1,200,000 Managed WordPress (MWP) customers.
- Gained access to all active MWP usernames and passwords for sFTP (secure FTP) and WordPress databases.
- Gained access to SSL/TLS private keys belonging to some MWP users. (The report says “a subset of active users”, not stating an estimated number)
GoDaddy also stated that default WordPress admin passwords created when each account was opened, were accessed, too. CyberHoot is hoping that few if any, active users had left this password unchanged after setting up their WordPress account.
GoDaddy’s wording states that “sFTP […] passwords were exposed”, which makes it sound as though those passwords had been stored in plaintext form. If the passwords had been salted, hashed, and stretched, GoDaddy would have not had to report the exposure of these passwords. Properly-hashed passwords, once stolen, cannot easily be cracked by attackers. A well-chosen password, properly salted, hashed, and stretched can take years to crack (with current computing equipment) and can only be attempted one password at a time.
Researchers at WordFence, a company focused on WordPress security, say they were able to read out their own sFTP password via the official MWP user interface, something that shouldn’t have been possible if the passwords were stored in a “non-reversible” hashed form.
GoDaddy has now reset all affected passwords and says it’s in the process of replacing all potentially stolen web certificates with new ones. GoDaddy is also in the process of contacting as many of the 1,200,000 affected users as it can, which is a helpful move for their customers, considering it’s only been known for a handful of days.
However, with ten weeks in hand before getting spotted, the criminals in this attack could have used the compromised sFTP passwords and web certificates to pull off further exploits against MWP users. In particular, crooks who know your sFTP password could, in theory, not only download the files that make up your site, stealing your core content, but also upload unauthorized additions to the site.
Those unauthorized website additions could include:
- Backdoored WordPress plugins to let the crooks sneak back in again even after your passwords are changed.
- Fake news that would embarrass your business if customers were to come across it.
- Malware directly targeting your site, such as crypto mining or data-stealing code designed to run right on the server.
- Malware targeting visitors to your site, such as zombie malware to be served up as part of a phishing scam.
Also, crooks with a copy of your SSL/TLS private key could set up a fake site elsewhere, such as an investment scam or a phishing server, that not only claimed to be your site but also actively “proved” that it was yours by using your very own web certificate.
What To Do?
While there are many things you can do to not fall victim in situations like these, the following actions are smart first steps to take if you think you or your business may have been involved in this breach:
- Replace your SSL certificate as soon as possible. While GoDaddy is formally reaching out to do this, be sure to make this a top priority when contacted. If you are not contacted, reach out to them to file a ticket requesting this.
- If you are not using a Password Manager at your business, inform your WordPress users of this breach to their sFTP password. They will likely be reusing that password elsewhere and should change it immediately wherever it was used. This is a GREAT time to adopt a password manager for your users.
- Watch out for contact from GoDaddy about the incident. Check that your contact details are correct so that if the company needs to send you an email, you’ll definitely receive it.
- Turn on 2FA if you haven’t already. In this case, the attackers apparently breached security using a vulnerability, but to get back into users’ accounts later using exfiltrated passwords is much harder if the password alone is not enough to complete the authentication process.
- Review all the files on your site, especially those in the WordPress plugin and theme directories. By uploading booby-trapped plugins, the attackers may be able to get back into your account later, even after all the original holes have been patched and stolen passwords changed.
- Review all accounts on your site. Another popular trick with cybercriminals is to create one or more new accounts, often using usernames that are carefully chosen to fit in with the existing names on your site, as a way of sneaking back in later.
- Be careful of anyone contacting you out of the blue and offering to “help” you to clean up. The attackers in this case made off with email addresses for all affected users, so those “offers” could be coming directly from them, or indeed from any other ambulance-chasing cybercrook out there who knows or guesses that you’re an MWP user.
Additional Cybersecurity Recommendations
In addition to these protections, CyberHoot also recommends businesses take the following steps to secure their business. These measures provide a great deal of value for the cost and time investment they require.
- Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
- Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
- Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
- Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
- In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
- If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
- Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.