Web hosting giant GoDaddy says unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment.
While GoDaddy discovered the security breach in early December 2022 following customer reports that their sites were being used to redirect to random domains, the attackers had access to the company’s network for multiple years.
“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the hosting firm said in an SEC filing.
GoDaddy is now working with external cybersecurity forensics experts and law enforcement agencies worldwide as part of an ongoing investigation into the root cause of the breach.
Additionally, GoDaddy says if found evidence that the threat actors are also behind a broader campaign targeting other hosting companies worldwide over the years.
“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” the hosting company said in a statement.
“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”
GoDaddy says it has implemented security measures to prevent future infections after detecting the intrusion in December.
A GoDaddy spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
Multiple breaches and security incidents since 2019
The company disclosed another security breach in November 2021 that led to a data breach affecting 1.2 million Managed WordPress customers.
The attackers breached GoDaddy’s WordPress hosting environment in 2021 using a compromised password. They gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.
GoDaddy’s disclosed another breach in May 2020, alerting some customers that an attacker used their web hosting account credentials in October 2019 to connect to their hosting account via SSH.
In April 2019, scammers also used hundreds of compromised GoDaddy customer accounts to create almost 15,000 subdomains that enabled them to impersonate popular websites and redirect potential victims to spam pages pushing snake oil products.
The same year, in January 2019, website admins using GoDaddy’s services discovered that the company was injecting JavaScript into U.S. customers’ websites without their knowledge, potentially rendering them inoperable or impacting their performance.
GoDaddy is one of the largest domain registrars, and it also provides hosting services to over 20 million customers worldwide.