Unknown threat actors have compromised multiple domain names registered with Squarespace. The incident, which began around July 10, 2024, has affected numerous domains that were transferred to Squarespace following its acquisition of Google Domains in September 2023.
On September 7, 2023, Squarespace acquired all domain registration data and customers from Google Domains. This migration process, which has been ongoing for several months, involved automatically creating Squarespace accounts for each domain based on the email addresses associated with the Google Domains accounts, including admin, tech, and billing contacts.
The Attack
The attackers have exploited vulnerabilities in the migration process, gaining unauthorized access to Squarespace accounts. The exact method of access remains unclear, but potential vectors include:
- Leaked or reused passwords: Attackers may have accessed accounts using previously compromised credentials.
- Vulnerabilities in the migration process: The automatic creation of accounts during the migration may have introduced security gaps.
- Social engineering: Attackers could have manipulated support employees to gain insider access.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
Once inside the Squarespace accounts, the threat actors escalated their privileges by taking over DNS records. This involved changing nameservers or directly editing DNS records to redirect domain traffic and intercept emails by altering MX records. This allowed the attackers to perform password resets and gain further control over associated accounts.
The breach has had a widespread impact, particularly on decentralized finance (DeFi) platforms. Notable affected entities include Compound Finance, Celer Network, and Pendle Finance, among others. These platforms experienced DNS hijacking, redirecting users to malicious sites designed to steal funds and sensitive information.
Recommendations for Affected Users
Squarespace has issued several recommendations to mitigate the impact and prevent further unauthorized access:
- Enable Two-Factor Authentication (2FA): Users should log into their Squarespace accounts, create new passwords, and enable 2FA to enhance security.
- Remove Excess Contributor Accounts: Auto-created accounts pose unnecessary risks and should be removed if no longer needed.
- Disable Reseller Access on Google Workspace: Users should disable reseller access to prevent unauthorized creation of admin users.
- Revert DNS Changes: Verify and correct any unauthorized changes to DNS records.
- Remove Unnecessary Admins: Ensure only active and necessary administrators have access to the domain.
- Check for Unexpected Settings: Review all domain settings for any suspicious configurations.
- Consider Transferring Domains: Users may consider transferring their domains to other registrars, such as Cloudflare Registrar, Amazon Route53, MarkMonitor, or CSC.
Indicators of Compromise
Security researchers have identified specific indicators of compromise associated with the attack:
- IP Addresses: 185[.]196[.]9[.]29
- MX Records: mx[.]zoho[.]eu, mx2[.]zoho[.]eu, mx3[.]zoho[.]eu.
The investigation into the breach is ongoing, with security experts working to understand the full extent of the compromise and the exact methods used by the attackers. Squarespace has been urged to enhance its security measures and provide more robust support to affected customers.
As the situation develops, users are advised to exercise extreme caution when interacting with any potentially compromised domains and to stay updated with the latest security advisories from Squarespace and other relevant authorities.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo