A Dec. 2 ransomware assault at Rackspace Technology — which the managed cloud internet hosting firm took a number of days to verify — is rapidly turning into a case research on the havoc that may end result from a single well-placed assault on a cloud service supplier.
The assault has disrupted electronic mail companies for hundreds of largely small and midsize organizations. The pressured migration to a competitor’s platform left some Rackspace prospects pissed off and determined for help from the corporate. It has additionally already prompted at the very least one class-action lawsuit and pushed the publicly traded Rackspace’s share value down almost 21% over the previous 5 days.
Delayed Disclosure?
“While it is attainable the foundation trigger was a missed patch or misconfiguration, there’s not sufficient info publicly obtainable to say what approach the attackers used to breach the Rackspace atmosphere,” says Mike Parkin, senior technical engineer at Vulcan Cyber. “The bigger concern is that the breach affected a number of Rackspace prospects right here, which factors out one of many potential challenges with counting on cloud infrastructure.” The assault exhibits how if risk actors can compromise or cripple massive service suppliers, they’ll have an effect on a number of tenants directly.
Rackspace first disclosed one thing was amiss at 2:20 a.m. EST on Dec. 2 with an announcement it was wanting into “a difficulty” affecting the corporate’s Hosted Exchange atmosphere. Over the subsequent a number of hours, the corporate stored offering updates about prospects reporting electronic mail connectivity and login points, nevertheless it wasn’t till almost a full day later that Rackspace even recognized the problem as a “safety incident.”
By that point, Rackspace had already shut down its Hosted Exchange atmosphere citing “vital failure” and stated it didn’t have an estimate for when the corporate would be capable to restore the service. Rackspace warned prospects that restoration efforts may take a number of days and suggested these in search of fast entry to electronic mail companies to make use of Microsoft 365 as a substitute. “At no price to you, we can be offering entry to Microsoft Exchange Plan 1 licenses on Microsoft 365 till additional discover,” Rackspace stated in a Dec. 3 replace.
The firm famous that Rackspace’s help staff could be obtainable to help directors configure and arrange accounts for his or her organizations in Microsoft 365. In subsequent updates, Rackspace stated it had helped — and was serving to — hundreds of its prospects transfer to Microsoft 365.
A Big Challenge
On Dec. 6, greater than 4 days after its first alert, Rackspace recognized the problem that had knocked its Hosted Exchange atmosphere offline as a ransomware assault. The firm described the incident as remoted to its Exchange service and stated it was nonetheless attempting to find out what information the assault may need affected. “At this time, we’re unable to offer a timeline for restoration of the Hosted Exchange atmosphere,” Rackspace stated. “We are working to offer prospects with archives of inboxes the place obtainable, to finally import over to Microsoft 365.”
The firm acknowledged that transferring to Microsoft 365 isn’t going to be notably straightforward for a few of its prospects and stated it has mustered all of the help it might get to assist organizations. “We acknowledge that organising and configuring Microsoft 365 might be difficult and we’ve got added all obtainable assets to assist help prospects,” it stated. Rackspace instructed that as a brief answer, prospects may allow a forwarding possibility, so mail destined to their Hosted Exchange account goes to an exterior electronic mail handle as a substitute.
Rackspace has not disclosed what number of organizations the assault has affected, whether or not it obtained any ransom demand or paid a ransom, or whether or not it has been in a position to determine the attacker. The firm didn’t reply instantly to a Dark Reading request in search of info on these points. In a Dec. 6. SEC submitting, Rackspace warned the incident may trigger a loss in income for the corporate’s almost $30 million Hosted Exchange enterprise. “In addition, the Company might have incremental prices related to its response to the incident.”
Customers Are Furious and Frustrated
Messages on Twitter recommend that many shoppers are livid at Rackspace over the incident and the corporate’s dealing with of it to this point. Many seem pissed off at what they understand as Rackspace’s lack of transparency and the challenges they’re encountering in attempting to get their electronic mail again on-line.
One Twitter consumer and obvious Rackspace buyer wished to learn about their group’s information. “Guys, when are you going to present us entry to our information,” the consumer posted. “Telling us to go to M365 with a brand new clean slate isn’t acceptable. Help your companions. Give us our information again.”
Another Twitter consumer instructed that the Rackspace attackers had additionally compromised buyer information within the incident based mostly on the variety of Rackspace-specific phishing emails they’d been receiving the previous few days. “I assume your whole buyer information has additionally been breached and is now on the market on the darkish internet. Your prospects aren’t silly,” the consumer stated.
Several others expressed frustration over their incapacity to get help from Rackspace, and others claimed to have terminated their relationship with the corporate. “You are holding us hostages. The lawsuit goes to take you to chapter,” one other obvious Rackspace buyer famous.
Davis McCarthy, principal safety researcher at Valtix, says the breach is a reminder why organizations ought to take note of the truth that safety within the cloud is a shared accountability. “If a service supplier fails to ship that safety, a corporation is unknowingly uncovered to threats they can’t mitigate themselves,” he says. “Having a threat administration plan that determines the influence of these identified unknowns will assist organizations get well throughout that worst case state of affairs.”
Meanwhile, the lawsuit, filed by California legislation agency Cole & Van Note on behalf of Rackspace prospects, accused the corporate of “negligence and associated violations” across the breach. “That Rackspace supplied opaque updates for days, then admitted to a ransomware occasion with out additional buyer help is outrageous,” a press release asserting the lawsuit famous.
Did the Attackers Exploit “ProxyNotShell” Exchange Server Flaws?
No particulars are publicly obtainable on how the attackers may need breached Rackspace’s Hosted Exchange atmosphere. But safety researcher Kevin Beaumont has stated his evaluation confirmed that simply previous to the intrusion, Rackspace’s Exchange cluster had variations of the know-how that appeared weak to the “ProxyNotShell” zero-day flaws in Exchange Server earlier this yr.
“It is feasible the Rackspace breach occurred attributable to different points,” Beaumont stated. But the breach is a common reminder why Exchange Server directors want to use Microsoft’s patches for the issues, he added. “I anticipate continued assaults on organizations through Microsoft Exchange by 2023.”