Rackspace email outage confirmed as ransomware attack

Rackspace has confirmed that an ongoing outage affecting its hosted Microsoft Exchange customers is the result of a ransomware attack against its hosted Exchange environment, carried out by an unspecified group.

The outage was first reported at 7.49am GMT on Friday 2 December, when Rackspace began investigating reports of connectivity issues to its Microsoft Exchange environments, which resulted in users hitting an error when they tried to access the Outlook Web App and sync their email clients.

In the interim, it has been offering customers access to Microsoft 365 as a stopgap measure, and says it has now migrated tens of thousands of users and domains across. As of its last update, issued at 1.26pm GMT on 6 December, it is unable to provide a timeline for when it might be able to restore Hosted Exchange services.

In a statement, a Rackspace spokesperson said: “Rackspace Technology today announced a ransomware incident affecting its Hosted Exchange environment, which is causing service disruptions for the company’s Hosted Exchange customers.

“Alongside the Rackspace Technology internal security team, the company has engaged a leading cyber defence firm to investigate. Immediately upon detecting the incident, the company took proactive measures to isolate the Hosted Exchange environment to contain the incident.”

Based on its investigation so far, the company believes the incident has been isolated to its Hosted Exchange business. Its other products and services remain fully operational and there appears to have been no impact to its Email product line or platform. However, as a precautionary measure, it has put additional security measures and monitoring in place.

The spokesperson said: “Rackspace Technology is in ongoing communication with Hosted Exchange customers to help them migrate to a new environment as quickly as possible. Rackspace Technology has surged support staff and will be taking additional steps to help guide customers through this process in order to limit the impact to their own operations.

“Although Rackspace Technology is in the early stages of assessing this incident, the incident has caused, and may continue to cause, an interruption in its Hosted Exchange business and may result in a loss of revenue for the Hosted Exchange business, which generates approximately $30m of annual revenue in the Apps & Cross Platform segment. In addition, Rackspace Technology may have incremental costs associated with its response to the incident.”

Commenting on the incident, Barrier Networks managing CISO Jordan Schroeder said: “This latest update from Rackspace will leave many of the company’s customers highly concerned that their data is now in the hands of cyber criminals.

“If this is the case, thousands of companies across the world will feel the consequences of this attack, and it will once again highlight that when an organisation is taking on the responsibility of storing or hosting data belonging to businesses, it has an even greater duty to keep it secure.”

Schroeder said that until more becomes known, it would be sensible for Rackspace Hosted Exchange customers to take additional precautions themselves, and in particular to implement additional monitoring on their own networks, and to deploy dark web intelligence in case their data has been exfiltrated.

Meanwhile, independent investigator and security commentator Kevin Beaumont presented limited evidence suggesting that the attack may have begun with exploitation of the so-called ProxyNotShell attack chain.

Writing on the Medium blogging platform, Beaumont – who coined the term ProxyNotShell himself – said he had extrapolated evidence from Shodan data that appears to show Rackspace’s Exchange cluster was showing long build numbers dating back to August, before the issue was patched in November’s Patch Tuesday update.

ProxyNotShell comprises two zero-day vulnerabilities, CVE-2022-41040, a remote code execution (RCE) vulnerability, and CVE-2022-41082, an elevation of privilege (EoP) vulnerability. Chained together, they can be used to access vulnerable Microsoft Exchange Servers.

A link to the Rackspace incident has not been proven and the company has made no statement as to the cause of the attack at this stage.

Leave a Reply

Your email address will not be published. Required fields are marked *