Previous
Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.
Author: Eva Georgieva / Last Updated: 12/13/2022
Reviewed By: Dalibor Gašić, & Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
On December 2, Rackspace Technology’s customers started experiencing issues while trying to log in into their Exchange environment.
That for Rackspace was an indicator enough to start investigating and after their initial analysis they confirmed a security incident occurred.
A few days later, Rackspace Technology stated that the issue at hand was actually ransomware, which was the reason for the outage that the users were experiencing.
Ransomware is a certain type of malware attack in which the attacker encrypts:
Systems are locked so the victim now has to make a payment to the attacker in order for the attacker to decrypt their data and make it accessible again.
Usually, this type of cyber attack considers any system, network, software vulnerability or any human error as an entry vector in order to infect the victim’s systems or devices.
These devices can be a computer, printer, POS terminal, smartwatch, smartphone, or any other endpoint.
The way ransomware works is through several phases and usually represents a six-stage attack.
Per the Rackspace Technology statement, the ransomware was an isolated incident that only impacted and took down their Hosted Exchange implementations, their other services they state were left intact such as their email product line and platform.
Having that information, they still state that they couldn’t say at this level of the investigation if any customer or sensitive data were compromised, so currently there is no signs of data theft, however, that is something yet to be confirmed.
However, due to the nature of the attack, phishing attacks and scammers impersonating the Rackspace Support Team are taking advantage of this situation and targeting Rackspace customers.
Rackspace notified their users to stay vigilant, not to give out personal information on phone calls, and to monitor their banking account statements and credit reports for suspicious activity.
Besides that, Rackspace stated that there will be loss of revenue for them for the Hosted Exchange business, which as estimated, generated around $30 million in annual revenue.
Although Rackspace has not issued a statement to confirm the source of the attack, cyber security researchers tend to state that it was due to unpatched software.
Particularly, security researcher Kevin Beaumont, in his Medium blog clearly elaborated that the Rackspace’s Exchange Cluster had an old build version number, specifically a version before a patch for ProxyNotShell vulnerability was released.
In his research, Mr. Beaumont also stated that if an MSP is running a shared cluster, such as Hosted Exchange, it means that if only one account is compromised for just one customer, it has the potential to compromise the entire hosted cluster.
Although it is not clear that this was the entry vector for the attack, there is still a chance that unpatched software led to Rackspace becoming a victim of ransomware.
Ransomware attack takes several stages and if a good IDS solution is in place, there will be indicators of an attacker moving laterally through the network which would allow the victim, if not previously, to detect the attack while in progress.
Related Article: How To Prevent Ransomware Attacks
Patching the software versions of the different systems is also quite an important aspect and reduces the risk that the attacker will more easily locate an entry vector.
Besides that, network segregation, maintaining backups, and hardening endpoints are just a few of the ways that organizations can prevent falling victim to a ransomware attack.
Related Articles
Eva is a security engineer, researcher, and penetration tester with over 5 years of experience working on both red teams and blue teams.
Recent Attacks
Popular Articles
Ransomware Attacks
Preventing Attacks