GoDaddy discloses multi-year security breach
GoDaddy, the web hosting and domain name company, disclosed a recent attack on its infrastructure and revealed that it is part of a connected series of incidents that date back to 2020.
In an unusual move, the company has included details of the attacks in its Form 10-K, which is the formal annual report required by listed entities in the US. The report outlines an attack in March 2020 that compromised the hosting login credentials of roughly 28,000 hosting customers and a small number of employees, as well as a November 2021 breach of its hosted WordPress service.
According to the filing, the most recent attack occurred in December 2022 when an unauthorised third party gained access to GoDaddy's cPanel hosting servers and installed malware, which intermittently redirected random customer websites to malicious sites. Although the root cause of the incident is unknown, GoDaddy suspects that it could be part of a multi-year campaign by a sophisticated threat actor group, which included installing malware on the company's systems and acquiring pieces of code related to some of GoDaddy's services.
IR Team comment: “It could've been as a result of an Initial Access Broker (IAB). Initial Access Broker's are threat actors that specialise in the first stage of a breach i.e. gaining access to the organisation's internal network. They then advertise this to other threat actors (more commonly ransomware operators) who then bid/purchase the access off the IAB. To speculate, it could be that the IAB (if there was one) took 3 years to sell the access to another threat actor. The purchase price would depend on the perceived value of the target. GoDaddy being a web hosting/domain registrar company would mean it is highly targeted by attackers,” - Integrity 360’s Cyber Threat Response Manager Patrick Wragg.
Ukrainian hackers behind Cyber-attack on Russian State TV stations during Putin’s speech
During a live broadcast of President Vladimir Putin's address to Russia's elite on Tuesday, at least two Russian media websites went down. The website of the state-owned broadcaster VGTRK attributed the outage to "technical works," while the live-streaming platform Smotrim failed to load.
In a nearly two-hour speech, Putin pledged to continue Russia's ongoing war in Ukraine and accused the West of waging an economic war against Russia. The Ukrainian hacktivist group IT Army claimed responsibility for the incident, announcing on Telegram that it launched a Distributed Denial-of-Service (DDoS) attack on channels broadcasting Putin's address, with Russian state-controlled television channel 1TV also among its targets.
The IT Army, a collective of Ukrainian tech specialists, was established during the early days of the war and has conducted more than 15,000 DDoS attacks on Russian websites, including government services, banks, and private firms, over the past year.
Virgin Media TV hit by cyber attack
Ireland’s National Cyber Security Centre launched an investigation this week after Virgin Media Television announced that it experienced a cyber-attack. The broadcaster reported an "unauthorised attempt" to access its systems in recent days, which has impacted the broadcasting of recorded programming on Virgin Media 3, 4, More, and VMTV Player. The company reassured its customers that it has strict cyber protection measures in place and has activated precautions in response to the attack.
In a statement, the broadcaster said, ‘To ensure maximum security, certain technologies have been temporarily disconnected while undergoing a review process. The broadcaster anticipates that normal service will resume after the completion of the review and verification process. It is important to note that the issue pertains only to Virgin Media Television and does not affect any other Virgin Media Ireland operations.’
Activision confirms data breach
Activision, the creators of Call of Duty, have confirmed that their systems were breached by hackers towards the end of last year. The threat actors successfully exfiltrated sensitive employee data and information about unreleased game content. The stolen data includes full names, email addresses, and phone numbers, as well as confidential information such as salaries and work locations.
Although the breach occurred on December 4, 2022, Activision did not announce or confirm the cyber-attack at the time, continuing the trend of large companies delaying the time between breach discovery and disclosure. The hackers gained access to the system after an employee fell for a text message phishing scam, as is often the case with data breaches. This highlights the crucial importance of ensuring that staff are adequately trained in recognising suspicious emails to prevent similar incidents from happening in the future.
