GoDaddy joins the dots and realizes it’s been under attack for three years

In brief Web hosting and domain name concern GoDaddy has disclosed a fresh attack on its infrastructure, and concluded that it is one of a series of linked incidents dating back to 2020.

The business took the unusual step of detailing the attacks in its Form 10-K – the formal annual report listed entities are required to file in the US.

The filing details a March 2020 attack that “compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel” and a November 2021 breach of its hosted WordPress service.

The latest attack came in December 2022, when boffins detected “an unauthorized third party gained access to and installed malware on our cPanel hosting servers,” the filing states. “The malware intermittently redirected random customer websites to malicious sites.”

GoDaddy is unsure of the root cause of the incident, but believes it could be the result of “a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.”

“To date, these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business or operations,” the filing states – showing enormous empathy for customers whose sites were redirected in the most recent attack, or impacted by the earlier incidents.

In a brief statement on the incident, GoDaddy hypothesized that the goal of the December 2022 attacks “is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

– Simon Sharwood

Moscow considers legalizing hacking – but only for the glory of Mother Russia

The Russian government is working on changes to its criminal code that would legalize hacking in the Federation – provided it’s being done in the service of Russian interests, of course. 

According to Russian news service TASS, Alexander Khinshtein, head of the state Duma committee on information policy, wants exemptions from liability given to hackers, but aside from tossing the idea out to reporters he didn’t have details to add. 

Still, Khinshtein argued, “I am firmly convinced that it is necessary to use any resources to effectively fight the enemy,” adding that Russia needs to be able to respond adequately to any threat – and who better to help than a well-established army of hackers?

Russian-linked hacking groups are notorious for the damage caused – or attempted – by groups like Killnet, Cozy Bear, Vice Society or any of the myriad others linked to attacks on its enemies – both in Ukraine and elsewhere.  

Those groups may operate with a certain amount of impunity within Russia, but the law still isn’t on their side, as TASS pointed out. Russian laws regarding cyber crimes are strict – if not always enforced – and exceptions are reportedly nonexistent. 

Two sets of laws pertain to hacking activity: Articles 272 and 273 of the Criminal Code of the Russian Federation, which cover illegal access and the creation, distribution and use of malicious computer software, respectively. 

Gaining illegal access and/or using malicious software, if it leads to “grave consequences or [the creation of] a threat,” can earn a Russian up to seven years in prison, with lesser possible terms for less damage or acting independently of a group.

Adding exceptions for what TASS described as “white hat” operations in the interest of the Russian government would provide considerable leeway for state-sponsored hackers already doing so.

More alarming, however, is the encouragement it would give to green hats more likely to break a system than break into it, script kiddies in it for the lulz, and dark web turnkey crooks. There’s no indication such a law is on the way to passage – Khinshtein said it still needed to be spoken about “in more detail” – but it might be a good idea to reinforce that security posture. Especially if you’re in a critical industry.

Critical vulnerabilities of the week

We’re still hot on the heels of February’s rather romantic Patch Tuesday, so if you’re wondering where a few well-publicized vulnerabilities are in this list – we may have already covered them. 

That said, there’s still plenty of patching fun to be had if you’re not sick of it already. 

  • CVSS 10.0 – CVE-2023-24482: Siemens COMOS plant engineering software contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code and cause a denial of service; 
  • CVSS 9.8 – CVE-2022-1343: Siemens Brownfield Connectivity Client contains several vulnerabilities able to cause a denial-of-service condition;
  • CVSS 9.8 – CVE-2022-46169: Open source operational monitoring and fault management software Cacti contains a command injection vulnerability which is not new, but CISA said it has recently spotted being exploited in the wild, so patch now;
  • CVSS 9.8 – CVE-2022-39952: FortiNAC web server may allow an unauthenticated attacker to perform an arbitrary write due to an external control of file name path vulnerability (now patched);
  • CVSS 9.3 – CVE-2021-42756: FortiWeb’s proxy daemon has multiple stack-based buffer overflow vulnerabilities that can allow an unauthenticated attacker to achieve arbitrary code execution. 

Mozilla’s Firefox 110, Firefox ESR 102.8 and Thunderbird 102.8 were also released this week, and addressed a total of eight CVEs shared by a mix of the three products. As Mozilla’s bug reports are restricted and it doesn’t provide actual CVSS scores, we’ve selected bugs it rates as high priority, defined as those that can be used to gather sensitive data and “requiring no more than normal browsing actions.” 

None of the bugs Mozilla patched in this release were considered critical. 

  • CVE-2023-0767: Maliciously-crafted PKCS 12 files can be used to trigger arbitrary memory writes;
  • CVE-2023-25728: the Content-Security-Policy-Report-Only header can be abused to leak child iframe unredacted URI;
  • CVE-2023-25730: Requesting fullscreen mode and then blocking the main thread can force Firefox into fullscreen mode indefinitely, allowing confusion or spoofing attacks;
  • CVE-2023-25735: Firefox’s Spidermonkey JavaScript engine has a use-after-free bug due to a compartment mismatch;
  • CVE-2023-25737: An invalid downcast from nsTextNode to SVGElement can cause undefined behavior;
  • CVE-2023-25738: Firefox on Windows is experiencing problems whereby printing is crashing device drivers;
  • CVE-2023-25739: Failed module load requests aren’t being checked, leading to user-after-free vulnerabilities in ScriptLoadContext;
  • CVE-2023-25743: Firefox Focus doesn’t include a notification for entering fullscreen mode, which could allow malicious website spoofing.
  • CVE-2023-25743: Firefox Focus doesn’t include a notification for entering fullscreen mode, which could allow malicious website spoofing.

Finally, CVE-2023-24809 won’t keep anyone up at night, unless they are avid players of the venerable Rogue-like adventure game NetHack. The 5.5-rated flaw is found in versions 3.6.2 through to 3.6.6 and means illegal input to the “C” (call) command can cause a buffer overflow and crash the NetHack process. “This vulnerability may be a security issue for systems that have NetHack installed suid/sgid and for shared systems”, an advisory warns. Upgrading to version 3.6.7 solves the problem. No save-scumming, people!

Emergency declared in Oakland, CA after ransomware attack

Oakland, California declared a state of emergency on Valentine’s Day – and not because there was too much love in the air. A week of work hasn’t done a whole lot to clear up a ransomware attack that hit the city on February 8.

As we reported in last week’s security roundup, the attack didn’t take down 911 services, disrupt finances or worsen emergency response times, but the precaution of taking a good portion of the city’s network offline to stop the attack has led to a slow recovery and some non-emergency systems inaccessible. 

“The network outage has impacted many non-emergency systems including our ability to collect payments, process reports, and issue permits and licenses,” the city declared in an update on February 15, adding that residents should call before showing up at a city office in case it’s closed. 

The Oakland government said that police and fire departments are still responding to emergency calls as usual, but that non-emergency requests should be made online or reported by a call to the local 311 non-emergency line. 

By declaring a state of emergency, Oakland has expedited its ability to procure equipment and materials to respond to the ransomware attack, as well as activating emergency workers and making it easier for leadership to issue orders. 

The Oakland city government said the attack investigation is ongoing, and law enforcement is investigating. The city hasn’t said how the attack occurred, who was behind it or what sort of ransom demand was made. ®

READ MORE HERE