[Security News] GoDaddy Source Code Stolen After Hacker Intruded Network for Years
February 2023
1. GoDaddy source code stolen after hacker intruded network for years
Web hosting giant GoDaddy revealed that an unauthorized third party was detected stealing source code and installing malware in its network. GoDaddy provides hosting services to over 20 million websites worldwide.
The intrusion was first detected in December 2022 when some customers reported that their websites were being intermittently redirected. After thorough investigations, GoDaddy confirmed that a sophisticated threat actor gained access to its network. Not only was the attacker responsible for the latest incident, but they were also able to stay undetected in GoDaddy’s network for years, and were linked to previous data breaches reported in March 2020 and November 2021.
GoDaddy suggested that the attacker’s goal was to infect the websites of GoDaddy customers by installing malware for phishing campaigns and malware distribution. The fact that the attackers were able to stay in the network for so long even after several data breaches means that threat actors are becoming increasingly capable of avoiding detection.
Sources: SC Media, Infosecurity
2. Produce giant Dole shuts down production after ransomware attack
Dole, one of the largest producers of fruits and vegetables, announced in late February that its operations were impacted by a ransomware attack, forcing it to shut down production plants in North America.
Many grocery stores across North America were impacted. Many customers complained about a shortage of prepackaged Dole salad a week before the attack was disclosed. Some grocery stores also reported not being able to receive shipments from Dole for more than a week. These suggest that the attack may have occurred much earlier.
The ransomware strain and the amount of the ransom demand remain unknown.
Sources: Bleeping Computer, CNN
3. New threat group Hydrochasma targets medical labs and shipping firms in Asia
According to security researchers at Symantec, a newly discovered threat actor dubbed “Hydrochasma” is actively targeting medical labs and shipping companies across Asia, in an attempt to gather intelligence related to COVID-19 vaccines or treatments.
Hydrochasma was seen using publicly available software, including VPNs like Dogz and SoftEtherVPN, as well as vulnerability scanners like Gogo, a tool designed for red teams. The threat actor uses these tools to remain undetected in the victim’s network, then moves within the network using privilege escalation techniques.
Hydrochasma gains initial access into networks using phishing emails. This is done by either attaching a phishing document containing the name of the victim organization in its native language, or using fake job postings. After obtaining initial access, Hydrochasma uses Fast Reverse Proxy (FRP) to bypass firewall and gain persistent access.
4. Reddit suffers data breach following phishing attack on employee
Reddit disclosed a data breach after its internal systems were accessed by an unauthorized third party on February 5, after conducting a highly sophisticated and targeted phishing attack against one of its employees.
The attackers made an identical version of Reddit’s intranet gateway login page and lured an employee into entering their login credentials and two-factor authentication code. After successfully breaking into one employee account, the attackers were able to gain access to internal documents and source code.
The accessed data included some internal dashboards, contact information of employees, as well as the information of some advertisers. Reddit reassured that no credit card information and passwords were leaked in the breach, and that its primary production systems remain unaffected.
Sources: Bleeping Computer, The Hacker News
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Car, Energy, Factory, City Solutions: Penta IoT Security