Think Information. Think Security.
Users who have their websites hosted by Go Daddy are being infected with ransomware following a recent cyberattack on the company’s DNS records, online security experts are reporting.

According to Fraser Howard, a Principal Virus Researcher with SophosLabs, the hackers behind these attacks are “exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses. The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers.” By doing so, the criminals are able to set-up URLs that seem legitimate, potentially sneaking through security filtering systems and duping Internet surfers into believing they are harmless, he explained in a Friday blog entry. In some instances, multiple subdomains were added to each user’s account, with each of them redirecting viewers to at least one malicious IP address.

Howard reports the exploit kit being used to create the false subdomains is called “Cook EK” and is Russian in origin, based on the “login page for the admin panel.” The method used in the attack is “very similar to Blackhole exploit kit,” he added, and anyone unfortunate enough to arrive at the malicious destination page “are hit with various malicious files, exploiting several vulnerabilities, in order to infect them with ransomware. Once running, the ransomware displays the familiar payment page, with contents that vary based on the country of the victim.”
Sophos believes that easily cracked or stolen passwords were one possible cause why the hackers able to gain access to the Go Daddy domain name system records. Howard requested one affected webmaster review his log-in history, but he was unable to do so, and attempts to contact the domain hosting firm offered no insight into the matter either, as they refused to release information related to account log-ins or other activity.
This may not have been the first hacking attempt against Go Daddy this fall. In September, a hacker from the shadowy group Anonymous claimed to have taken down the domain registry and web hosting company. However, one day after the attack, Go Daddy denied they had been targeted by cybercriminals.
"The service outage was not caused by external influences,” CEO Scott Wagner said in a statement. “It was not a ‘hack’ and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and”
Cross-posted from: Red Orbit

Leave a Reply.