Rackspace: Hackers Obtained Customer Data In Ransomware Attack

Rackspace Technology confirms that the threat actors behind last month’s ransomware attack gained access to dozens of customers data. The company also said it will stop its Hosted Exchange service.

ARTICLE TITLE HERE

Rackspace Technology has confirmed hackers gained access to data from 27 customers during December’s ransomware attack, which caused massive outages for thousands of customers.

“Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table of 27 Hosted Exchange customers,” said Rackspace today in its latest incident response update.

The San Antonio, Texas-based cloud company said the threat actor, known as PLAY, accessed PST files that are usually used to store backup and archived copies of contacts, emails and events from Exchange accounts.

id
unit-1659132512259
type
Sponsored post

[Related: Rackspace: FBI, CrowdStrike Make Progress In Attack Probe]

Rackspace said it has already let its 27 affected customers know about these findings, adding that there is no evidence the threat actor “actually viewed, obtained, misused or disseminated emails or data in the PSTs” for any of these customers.

“We will continue working to recover all data possible as planned, however, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data,” Rackspace said.

The company expects the on-demand solution to be available within the next two weeks.

Root Cause Of Rackspace Ransomware Attack

On Dec. 6, Rackspace was hit with a ransomware attack that caused a massive outage at the multicloud technology company.

The ransomware attack affected its hosted Exchange environment which caused a loss of email services for thousands of customers.

Rackspace today said that while there has been speculation that the root cause of this incident was the result of the ProxyNotShell exploit, “we can now definitively state that is not accurate.”

The forensic investigation determined that the threat actor, known as PLAY, used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.

“This zero-day exploit is associated with CVE-2022-41080. Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable,” Rackspace said today.

Hosted Exchange Service To Discontinue

Rackspace said it will discontinue its Hosted Exchange service.

“The Hosted Exchange email environment will not be rebuilt as a go-forward service offering,” the cloud company said.

Even prior to the ransomware security breach, the Hosted Exchange email environment had already been planned for migration to Microsoft 365.

There will be no price increase for Hosted Exchange customers if they choose to move to Microsoft 365 and select a plan with the same capabilities as they currently have, according to Rackspace.

“Every Hosted Exchange customer has the option to migrate and pay exactly what they are paying today or even slightly lower costs and have the same capabilities,” Rackspace said.