Cloud computing giant Rackspace, located in San Antonio TX, confirmed earlier this week that a ransomware attack caused a widespread outage that halted email services for thousands of people. Since last Friday, the company has been dealing with an outage that took down the Microsoft Outlook Web App for thousands of customers and caused other downstream issues. The company runs a lucrative business centered on hosting Microsoft Exchange infrastructure, which offers customers Microsoft email, calendar, and contact software.[1]
The company said on the 6th that a ransomware attack affected their Hosted Exchange environment, which is the root cause of the service disruption.
RackSpace – “Since becoming aware of suspicious activity in our Hosted Exchange environment on 12/2, we’ve determined that the isolated disruption is the result of ransomware and our security team is working with a lead cyber defense firm to investigate. Status:https://t.co/Uz0k8GL7Sg”
Rackspace said it hired a cybersecurity team to investigate the incident and isolated the Hosted Exchange environment in an effort to contain the damage. “Based on the investigation to date, Rackspace Technology believes that this incident was isolated to its Hosted Exchange business. Rackspace Technology’s other products and services are fully operational, and the company has not experienced an impact to its Email product line and platform,” the company said, eventually noting in the statement that the incident “may continue to cause an interruption. Out of an abundance of caution, Rackspace Technology has put additional security measures in place and will continue to actively monitor for any suspicious activity.”
The company said it will “migrate their users and domains to Microsoft 365” in addition to other additional measures. At this time, we are unable to provide a timeline for restoration of the Hosted Exchange environment. We are working to provide customers with archives of inboxes where available, to eventually import over to Microsoft 365,” they said.
“As a temporary solution while you set up Microsoft 365, it is possible to also implement a forwarding option that will allow mail destined for a Hosted Exchange user to be routed to an external email address. Please log in to your customer account for a ticket with instructions to request this option. Customers should reply to the ticket to request the forwarding rule be put into place for each of their users.”
As of 5 December, the company’s support staff had already “helped thousands of customers move tens of thousands of users” to Microsoft 365 and restored email services for thousands of customers.
The company did not explain what percentage of customers have been moved over to Microsoft 365. According to Rackspace’s statement, their Hosted Exchange business generates $30 million in annual revenue, and the incident is likely to cause a loss in revenue. Shares of the company were down on Monday. Social media has been inundated with customers complaining about not being able to access services in connection to the Rackspace outage.
A security researcher believes the incident may involve exploitation of the Microsoft Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082, better known as ProxyNotShell. ProxyNotShell first came to light in late September after Vietnamese cybersecurity company GTSC observed it being exploited in the wild. Microsoft confirmed exploitation the following month and linked it to a state-sponsored hacker group.[2]
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://therecord.media/rackspace-says-ransomware-attack-caused-outage/
[2] https://techcrunch.com/2022/12/06/rackspace-blames-ransomware-attack-for-ongoing-exchange-outage/
Comments