The online world has 2 primary roots of trust: Domain Name System (DNS) and WWW. If you can control these, you can ‘prove’ you own a company. This allows you to do many things, including:
- send email without getting blocked (DKIM, SPF, DMARC)
- Azure domain takeover (access to Office 365, Azure Active Directory)
- Ads placed as company (Apple, Microsoft, …)
- Web admin consoles (Google Search Console, …)
- Industrial espionage (web traffic, keywords, …)
Really, the world is your oyster if you can put records in DNS and WWW. And, the biggest managed provider of them all in this space is GoDaddy. Landing today, this filing, dropped a Silent-But-Deadly set of hard facts. Over the course of multi-years, a bad actor systematically has ongoing access to 1.2M customers.
For examples, in March 2020, we discovered a threat actor compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel. These hosting login credentials did not provide access to the hosting customers’ main GoDaddy account. We have spent resources investigating and responding to this activity, notified the impacted customers, reported the activity to applicable regulatory authorities, and are responding to requests for information regarding our data privacy and security practices, including from the Federal Trade Commission (FTC) pursuant to Civil Investigative Demands issued in July 2020 and October 2021. The timing of resolution and the outcome of this matter are uncertain. In November 2021, using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress (MWP), which impacted up to 1.2 million active and inactive MWP customers across multiple GoDaddy brands. We reported the MWP incident to applicable regulatory authorities and have responded to inquiries from customers, strategic partners, regulators, and the media. The timing of resolution and outcome of this matter are uncertain. In December 2022, an unauthorized third party gained access to and installed malware on our cPanel hosting servers. The malware intermittently redirected random customer websites to malicious sites. We continue to investigate the root cause of the incident. Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy. To date, these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business or operations…GoDaddy SEC Filing
The width and breadth of the breach are enormous. Is it a single breach, or a set? Somewhat academic. In 2021, GoDaddy revealed that a password was leaked, said password allowing access to 1.2M WordPress installations, perhaps allowing cloning of SSL private keys, perhaps allowing malware to be installed, etc.
Funny, there’s that word again, password. How can one short string of characters, without even a multi-factor challenge, cause so much damage? It must be something that is shared, known by multiple people, written down somewhere. Imagine the turn-over that must exist in a company that size, this password was valid long enough for this breach to occur, in that time multiple people who knew it must have left the company.
Is it still a single breach? What about the 2019 issue? This one is more squarely on the DNS side of the business, allowing bad spam to come from good companies.
By this stage we are seeing a pattern. A company who is a big target (because of their scope and success) holds the keys to Boardwalk and Park Place attracts attackers, attackers who exploit weakness in strategy.
Consider instead if the target had used a Defense In Depth strategy? Start by segmenting down to a 1:1 basis. Instead of 1 password having 1.2M sites control, how about 0 passwords instead? Strong identity, authentication, from a single-sign-on provider. A separate access token for each. Breach it, you get 1, not 1.2M. This Defense In Depth strategy is a core part of a Zero Trust Network Architecture. First solve the “Who” problem (who are you), then the “What” problem (what are you allowed to do), then the “How” problem (how do i get you there). Do it on a pairwise User<->Resource basis, rather than on a “you are in and fully trusted, now do whatever you want”.
Now, let’s come back to the last line of that quote. “To date, these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business or operations…”. This is from the SEC filing. And this is, I think, the most impactful. There is no negative incentive, no feedback loop. If the downside cost of bad strategy is low, there’s no incentive to fix it. The pain was felt by their customers. Payment redirection fraud. Brand used to send spam. Spearphished. Malware on their web page. Etc. But not by the company itself. And that will have to change to change the behaviour.