GoDaddy 泄露 – 明文密码 – 1.2M 受影响

此处提供更新： GoDaddy Breach 扩大到 tsoHost、Media Temple、123Reg、Domain Factory、Heart Internet 和 Host Europe

今天早上，GoDaddy 披露，一名未知攻击者未经授权访问了用于配置公司托管 WordPress 站点的系统，影响了多达 120 万的 WordPress 客户。请注意，此数字不包括受此违规影响的那些网站的客户数量，并且一些 GoDaddy 客户的帐户中有多个托管 WordPress 网站。

根据 GoDaddy 向美国证券交易委员会提交的报告 [1]，攻击者最初于 2021 年 9 月 6 日通过泄露的密码获得访问权限，并于 2021 年 11 月 17 日被发现，此时他们的访问权限被撤销。虽然该公司立即采取行动减轻损失，但攻击者有两个多月的时间来建立持久性，因此目前使用 GoDaddy 托管 WordPress 产品的任何人都应该假设妥协，直到他们确认情况并非如此。

GoDaddy 似乎将 sFTP 凭据存储为纯文本，或以可以反转为纯文本的格式。他们这样做而不是使用加盐哈希或公钥，这两者都被认为是 sFTP 的行业最佳实践。这允许攻击者直接访问密码凭据而无需破解它们。

根据他们提交给 SEC 的文件：“对于活跃客户，sFTP 和数据库用户名和密码被暴露了。”

我们试图联系 GoDaddy 征求意见并确认我们的调查结果，但他们没有立即回复我们的评论请求。

攻击者可以访问什么？

SEC 文件表明，攻击者可以访问用户电子邮件地址和客户编号、在配置时设置的原始 WordPress 管理员密码以及 SSL 私钥。所有这些都可能对攻击者有用，但其中一项特别突出：

在 2021 年 9 月 6 日至 2021 年 11 月 17 日期间，攻击者可以访问活跃客户的 sFTP 和数据库用户名和密码。 

GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices.

We confirmed this by accessing the user interface for GoDaddy Managed Hosting and were able to view our own password, shown in the screenshot below. When using public-key authentication or salted hashes, it is not possible to view your own password like this because the hosting provider simply does not have it.

You’ll also note that the system is using port 22, which is Secure File Transfer Protocol. There are several kinds of sFTP, and this confirms that they’re using sFTP via SSH, which is encrypted, and designed to be one of the most secure ways to transfer files. Storing plaintext passwords, or passwords in a reversible format for what is essentially an SSH connection is not a best practice.

GoDaddy appears to acknowledge that they stored database passwords as plaintext or in a reversible format. These are also retrievable via their user interface. Unfortunately storing database passwords as plaintext is quite normal in a WordPress setting, where the database password is stored in the wp-config.php file as text. What is more surprising, in this breach, is that the password that provides read/write access to the entire filesystem via sFTP is stored as plaintext.

What could an attacker do with this information?

While the SEC filing emphasizes the potential phishing risk posed by exposed email addresses and customer numbers, the risk posed by this is minimal compared to the potential impact of exposed sFTP and database passwords.

Although GoDaddy immediately reset the sFTP and Database passwords of all the impacted sites, the attacker had nearly a month and a half of access during which they could have taken over these sites by uploading malware or adding a malicious administrative user. Doing so would allow the attacker to maintain persistence and retain control of the sites even after the passwords were changed.

Additionally, with database access, the attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the databases of the impacted sites, and may have been able to extract the contents of all impacted databases in full. This includes information such as the password hashes stored in the WordPress user accounts databases of affected sites, and customer information from e-Commerce sites.

An attacker could similarly gain control on sites that had not changed their default admin password, but it would be simpler for them to simply use their sFTP and database access to do so.

On sites where the SSL private key was exposed, it could be possible for an attacker to decrypt traffic using the stolen SSL private key, provided they could successfully perform a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.

What should I do if I have a GoDaddy Managed WordPress site?

GoDaddy will be reaching out to impacted customers over the next few days. In the meantime, given the severity of the issue and the data the attacker had access to, we recommend that all Managed WordPress users assume that they have been breached and perform the following actions:

• If you’re running an e-commerce site, or store PII (personally identifiable information), and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach. Please research what the regulatory requirements are in your jurisdiction, and make sure you comply with those requirements.
• Change all of your WordPress passwords, and if possible force a password reset for your WordPress users or customers. As the attacker had access to the password hashes in every impacted WordPress database, they could potentially crack and use those passwords on the impacted sites.
• Change any reused passwords and advise your users or customers to do so as well. The attacker could potentially use credentials extracted from impacted sites to access any other services where the same password was used. For example, if one of your customers uses the same email and password on your site as they use for their Gmail account, that customer’s Gmail could be breached by the attacker once they crack that customer’s password.
• Enable 2-factor authentication wherever possible. The Wordfence plugin provides this as a free feature for WordPress sites, and most other services provide an option for 2-factor authentication.
• Check your site for unauthorized administrator accounts.
• Scan your site for malware using a security scanner.
• Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins, or plugins that do not appear in the plugins menu, as it is possible to use legitimate plugins to maintain unauthorized access.
• Be on the lookout for suspicious emails – phishing is still a risk, and an attacker could still use extracted emails and customer numbers to obtain further sensitive information from victims of this compromise.

Conclusion

The GoDaddy Managed WordPress data breach is likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, and this affects not only site owners, but their customers. The SEC filing says that “Up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.

For the time being, anyone using GoDaddy’s Managed WordPress offering should assume their sites have been compromised until further information becomes available, and follow the steps we have provided in this article. We will update the article if more information becomes available.

References:

1. GoDaddy SEC Report: https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm

Note: All product names, logos, and brands are property of their respective owners in the United States and/or other countries. All company, product, and service names used on this page are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

Did you enjoy this post? Share it!