The recent news about the security incident at GoDaddy is not limited to GoDaddy. The attack is multi-year and affects hundreds of thousands, or even millions, of accounts across multiple hosting providers. The criminals are deploying redirects and other malicious payloads. We at Imunify have observed and combated this widespread issue and have been addressing it through our Imunify360 security solution.
This issue is extremely widespread and has been spotted at most hosting providers, large and small. Hackers have lists of hundreds of thousands of cracked accounts that they periodically use to deploy new malware. We do not believe there is a single group of hackers, but multiple groups using different tactics and cracked account lists. At Imunify, we regularly see spikes of infections through such accounts. Imunify has been using different approaches to prevent such attacks since 2019, and we have added password resets in 2022 as the situation continued to deteriorate.
Just in January 2023, we have seen more than 20,000 cases where hackers were able to deploy malware using cracked passwords, and we block more than 3,000 such attempts each day. The main problem stopping such attacks is that they look just like a regular user uploading a new file – a completely normal activity. With polymorphic and obfuscated malware, we often have to play catch up, unless the password is reset.
Hackers employ different methods, including control panel file managers, SSH, FTP, and WebDAV protocols, to deploy malware. The deployment is done using automation. Beyond redirects, hackers often deploy backdoors using PHP scripts that can trigger re-infections by navigating to a particular URL, cron jobs, and WordPress plugins.
We believe that the lists of cracked accounts are acquired on the black market and collected not just by brute-forcing but also keyloggers or similar mechanisms. The issue is uniformly widespread across hosting companies and does not target a particular company more than others.
Companies without Imunify360 are significantly more affected as they lack the anti-bruteforce, compromised account detection, and automated password reset mechanisms. We encourage companies to be proactive and address this issue to protect their customers' data and their reputation.
The recent news about the security incident at GoDaddy is a wake-up call for the hosting industry to address the issue of compromised shared hosting and WordPress accounts. Imunify360 provides a comprehensive solution to detect and block malicious agents, clean up redirects and backdoors, and reset passwords automatically. Companies without such automated security solutions may face more significant risks and should take proactive measures to protect their customers' data and their reputation.
Imunify360 is an automated security solution that detects compromised shared hosting and WordPress accounts and blocks the malicious agent. In some cases, we notify the host, and in others, we reset the password, forcing the end user to change it. We can also clean up a large number of redirects and backdoors that hackers leave. If you’re interested in a free 14-day trial, click here.