It's not been a great week for cloud computing service provider Rackspace.
On December 2, customers began experiencing problems connecting and logging into their Exchange environments. Rackspace started investigating and discovered an issue that affected its Hosted Exchange environments.
Now Rackspace has announced it was actually a ransomware incident that caused the service disruptions.
While the investigation is ongoing, there are no details known about which ransomware is at play or how the threat actor gained initial access. In a press release Rackspace said that the incident was isolated to its Hosted Exchange business. Rackspace has not showed up on any of the known leak sites that ransomware groups use to apply extra pressure on their victims, but this could also be due to the fact that there are ongoing negotiations.
Rackspace’s Hosted Exchange customers are mostly small to medium size businesses that don’t have the need or staff to run a dedicated on-premise Exchange server. The outage still affects all services in its Hosted Exchange environment, including MAPI/RPC, POP, IMAP, SMTP, and ActiveSync, as well as the Outlook Web Access (OWA) interface that provides access to online email management.
Rackspace said it will help affected customers implement a temporary forwarding while the disruption is ongoing:
“As a temporary solution while you set up Microsoft 365, it is possible to also implement a forwarding option that will allow mail destined for a Hosted Exchange user to be routed to an external email address. Please log in to your customer account for a ticket with instructions to request this option. Customers should reply to the ticket to request the forwarding rule be put into place for each of their users.”
In an 8-K SEC filing Rackspace states that it expects a loss of revenue due to the ransomware attack's impact on its $30 million Hosted Exchange business. An 8-K form is required to report any events concerning a company that could be of importance to the shareholders of that company or the Securities and Exchange Commission (SEC).
The attack vector
One possible attack vector was pointed out by security researcher Kevin Beaumont. It might be due to exploitation of the Microsoft Exchange vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, known as ProxyNotShell.
Beaumont found a Rackspace Exchange server cluster—currently offline—was running a build number from August 2022 a few days prior to the incident disclosure. Since the ProxyNotShell vulnerabilities were only fixed in November, it’s possible that threat actors exploited the flaws to breach Rackspace servers.
One important conclusion Beaumont notes in his post is:
“For a managed service provider (MSP) running a shared cluster, such as Hosted Exchange, it means that one compromised account of one customer will compromise the entire hosted cluster.”
This is what may have happened at Rackspace. Don’t let it happen to you.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.