Rackspace’s hosted Microsoft Exchange environments were affected by a “security incident” which has knocked out email services to their customers.
Rackspace is one of the top 250 public cloud MSPs with a market valuation of $1.02 billion as of December 4, 2022 — down roughly 65% over the past year, according to SeekingAlpha.
Details on the “security incident”
Rackspace confirmed a Hosted Exchange ransomware attack has knocked out email service to customers. The company first disclosed an issue with its hosted Microsoft Exchange environments early Friday morning that was preventing its customers from accessing mail services.
During the initial investigation, Rackspace’s status page referred to the outage as a “security incident.”
"We proactively powered down and disconnected the Hosted Exchange environment while we triaged to understand the extent and the severity of the impact, after further analysis, we have determined that this is a security incident." - Rackspace update
The latest update from Rackspace through their status page is that the company has determined this suspicious activity was the result of a ransomware incident.
Products and Services Other Than Hosted Exchange Services are not affected
According to the company, other services and products were not affected and are fully operational.
The company is making available resources so that customers can migrate their users and domains to Microsoft 365. At this time, we are unable to provide a timeline for the restoration of the Hosted Exchange environment.
“We are working to provide customers with archives of inboxes where available, to eventually import over to Microsoft 365.”
The Cause of the incident?
Security researcher Kevin Beaumont believes the incident may involve the exploitation of known vulnerabilities affecting Microsoft Exchange, specifically CVE-2022-41040 and CVE-2022-41082, which are known as ProxyNotShell.
Beaumont noticed that a Rackspace Exchange server cluster that is currently offline was running a build number from August 2022 a few days ago. Considering that the ProxyNotShell vulnerabilities were only fixed in November, it’s possible that threat actors exploited the flaws to breach Rackspace servers.
“Although the vulnerability needs authentication, the exploits work without multi-factor authentication as Exchange Server doesn’t yet support Modern Authentication at all, as Microsoft deprioritised the implementation work. If you are an MSP running a shared cluster, such as Hosted Exchange, it means that one compromised account on one customer will compromise the entire hosted cluster. This is high risk.” - Kevin Beaumont
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.