On 23rd April 2020, GoDaddy, an American based internet domain registrar and web hosting company that is based out of Scottsdale, Arizona confirmed a data breach via email, which was signed by Demetrious Comes, CISO and vice-president of the company.
With over 19 million customers worldwide, the hacking affected approximately 28,000 were actually affected as their SSH credentials were compromised by an unauthorized hacker, confirmed the spokesperson of the company in a public statement.
The company, in the public announcement also said that, in order to control the damage, they immediately reset the usernames as well as passwords. Furthermore, they additionally removed SSH files from the platform. Furthermore, they assured that the hacker did not have any access to the main accounts of any of the users.
Reports by the intelligence team of the company suggested that the data breach resulted in “active exploitation of vulnerabilities in two related plugins” namely; Elementor Pro and Ultimate Addons for Elementor.
Wpoven Offers Off-Site Backups, Daily malware Scanning and Cleanup, Expert support, SSL, SSD storage with plans starting just $16.61. Check Out our features to get your mind blown!
During the public announcement, the company also claimed that it first occurred in October 2019. Now this means that it is recurring, making it an on-going attack, which is why the company is continuing to take adequate precautions to protect the websites of all its consumers. Additionally, GoDaddy has also chosen to give out very limited amount of information so as to not attract unnecessary attention. Furthermore, they have also released a set of firewall regulations in order to assist consumers in protecting their website. This is also the very reason why the firewall has been made free until 5th June 2020.
It is imperative to try and understand what exactly these plugins are and how they have been affected. The first one is Elementor Pro, which was created by Elementor. It has been clarified that this plugin does not affect the free Elementor plugin.
One of the major vulnerabilities of this plugin is, ‘zero-day vulnerability’. This means that it allows users to upload files without being checked for any malware, leading to Remote Code Execution, which basically provides hackers access to all sorts of changes to the system on another person’s computer, irrespective of the geographical location. As this error was not fixed timely, the necessary authority is continuing to work in order to control as damage as possible. While in a newer version of the second one, i.e., Ultimate Addons for Elementor version 1.24.2, the issue was that it allowed these hackers to be able to create ‘subscriber level users’ even when these registrations were turned off. This issue has not been successfully fixed, reported to the authorities.
Now the next step is to understand how users’ websites can be protected for such attack and most importantly what necessary precautions are to be taken at the consumer level.
Although GoDaddy has made necessary changes to the passwords and has also remover the ‘attacker’s public key’, it has been strongly recommended that users change the password of their website’s database.
Other precautions also include making necessary changes in plugins until the vulnerabilities are properly fixed. Furthermore, it is advised that websites are periodically checked for unknown or unusual files, subscriber-level users, and most importantly also be on the lookout for arbitrary files with unusual names such as “wp-xmlrpc.php.”
Following such precautions prescribed by the company will help in preventing any possible attack on the websites of the users.