The US Securities and Exchange Commission (SEC) has Published “Security Event” Submitted by Internet Services Giant, Come on Dad. GoDaddy says that in November 2021 she realized that there were cybercriminals in her network, threw them out, tried to determine when the hackers came in, and what they managed to do while inside.
What happened?
According to GoDaddy, hackers had the following:
- Active approach since early September 2021, A ten-week window.
- Email addresses and customer numbers were purchased Out of 1,200,000 managed WordPress clients (MWP).
- Access all active MWP usernames and passwords For sFTP (Secure FTP) and WordPress.
- Gain access to SSL / TLS private keys Belonging to some MWP users. (The report says “Subgroup of active users”, Without specifying an approximate number)
GoDaddy also stated this Passwords Default WordPress Created when each account is opened, they are also accessed. CyberHoot hopes that few, if any, active users have left this password unchanged after setting up their WordPress account.
GoDaddy’s wording dictates this “sFTP […] Passwords Revealed “, Which makes it sound like these passwords are stored in plain text. If the passwords were salty, piled up and tense, GoDaddy would not have had to report the exposure of those passwords. Properly stacked passwords, once stolen, cannot be easily cracked by attackers. A well-chosen, well-salted, piled-up and tense password can take years to crack (with current computing equipment) and you can only try one password at a time.
Researchers b WordFence, A company that focuses on WordPress security, for example They were capable Read their sFTP password using the official MWP user interface, something that would not have been possible if the passwords were stored in a “non-reversible” stack.
What now?
GoDaddy has now reset all affected passwords and says it is in the process of replacing any internet credentials that may be stolen with new ones. GoDaddy is also in the process of contacting as many of the affected 1,200,000 users as possible, which is a beneficial move for their customers, given that it is only known for a few days.
However, with ten weeks in hand before they were noticed, the criminals in this attack were able to use the sFTP passwords and Internet credentials hacked to exercise additional exploits against MWP users. In particular, scammers who know your sFTP password can, in theory, not only download the files that make up your site, steal your core content, but also upload unauthorized extensions to the site.
The same unauthorized site extensions may include:
- WordPress plugins in the back door Let the crooks sneak in again even after changing your passwords.
- Fake news that will embarrass your business If customers were to encounter it.
- Malware that targets your site directly, Such as crypto mining or data theft code designed to run directly on the server.
- Malicious software that targets your site visitors, Such as zombie malware that will be displayed as part of phishing scams.
Also, scammers with a copy of your private SSL / TLS key may set up a fake website elsewhere, such as an investment scam or phishing server, which not only claimed to be your website but also actively “proved” that it was yours by using your own web certificate .
What to do?
While there are many things you can do to avoid falling victim to such situations, the following are smart first steps to take if you think you or your business were involved in this violation:
- Replace your SSL certificate as soon as possible. While GoDaddy is officially turning to do so, be sure to make it a priority when contacting. If they have not contacted you, contact them to submit a card requesting this.
- If you do not use a password manager in your business, Notify your WordPress users of this violation of their sFTP password. They will most likely reuse this password elsewhere and it should be changed immediately wherever it is used. This is a great time to adopt a password manager for your users.
- Beware of contact from GoDaddy regarding the incident. Check that your contact information is correct so that if the company needs to send you an email, you will definitely receive it.
- Run 2FA if you have not already done so. In this case, the attackers apparently breached the security through a vulnerability, but getting back to users’ accounts later using extracted passwords is much more difficult if the password alone is not sufficient to complete the authentication process.
- Review all the files on your site, especially those in WordPress plugins and theme directories. By uploading trapped plugins, attackers may be able to return to your account later, even after all the original holes have been fixed and stolen passwords changed.
- Review all the accounts on your site. Another popular trick with cybercriminals is to create one or more new accounts, usually using carefully chosen usernames to fit in with existing names on your site, as a way to sneak back in later.
- Beware of anyone who contacts you directly and offers to “help” you clean. The attackers in this case came out with email addresses for all affected users so that these “suggestions” could come directly from them, or basically from any other cyber crook chasing another ambulance out there who knows or guesses that you are using MWP.
Additional recommendations regarding cyber security
In addition to these protections, CyberHoot also recommends that businesses take the following steps to secure their business. These measures provide great value for the cost and investment in the time they require (especially when transmitted through CyberHoot).
- Control employees through policies and procedures. You need at least a password policy, an accepted usage policy, an information handling policy and a written information security plan (WISP).
- Training employees on how to detect and avoid phishing attacks. Adopt a learning management system like CyberHoot to teach employees the skills they need to be safer, more productive and more secure.
- Check employees with phishing attacks to practice. CyberHoot’s Pish Test allows businesses to test employees with reliable phishing attacks and put those who have failed into corrective phishing training.
- Deploy critical cyber security technology including two-factor authentication in all critical accounts. Enable e-mail filtering, true backups, deploy DNS protection, antivirus and anti-malware at all your endpoints.
- In the age of working from the modern home, make sure you manage personal devices that connect to your network by verifying their security (patch, antivirus, DNS protection, etc.) or completely banning their use.
- If you have not undergone a risk assessment by a third party in the last two years, you should do so now. Establishing a risk management framework in your organization is critical to dealing with your most difficult risks with your final time and money.
- Buy cyber-insurance to protect you in a catastrophic failure situation. Cyber insurance is no different from car, fire, flood or life insurance. It’s there when you need it most.
Most of these recommendations are built into CyberHoot. With CyberHoot you can control, train, evaluate and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least keep learning by subscribing to our monthly cyber security newsletters to stay up to date on the latest cyber security updates.