The World’s Largest Managed Cloud Provider Falls Victim to Ransomware Attack

DESCRIPTION

Rackspace Technology, Inc. is the largest managed cloud provider in world, offering cloud services as well as expertise for multiple public cloud platforms to over half of the Fortune 100 companies. On December 2, 2022, customers of their hosted Exchange services began reporting problems connecting to their accounts. Rackspace began an investigation and chose to isolate their hosted Exchange platform to contain the incident. While Rackspace hasn’t confirmed how many customers experienced an email outage, it is believed to be in the thousands. For four days, Rackspace would only state that a security incident had occurred but confirmed on December 6 that the outage was due to a ransomware attack. Company leaders have insisted that no other products or services were impacted by the attack although extra security measures have been put in place and all activity is being closely monitored for suspicious activity. The company said it will notify customers if evidence shows that their data was accessed or compromised throughout the attack.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

Because of the ongoing investigation, Rackspace will not disclose further details about the attack itself such as who the perpetrators are and if a ransom was paid. A third-party security consultant has identified one possible attack vector. According to his provided documentation, an offline Exchange server cluster was running an outdated build a few days prior to the incident disclosure. This build number is susceptible to the PRoxyNotShell vulnerabilities that weren’t fixed until November. Currently however, there is no official explanation.

CONTAINMENT (If IoCs are identified)

Rackspace has taken a proactive role since the beginning regarding the attack. The company sought the assistance of CrowdStrike who installed their endpoint detection and monitoring technology on all impacted servers. The Rackspace internal security team has worked closely with a leading cyber defense firm throughout the investigation and the company brought in a Microsoft Fast Track team to add resources and personnel to assist with customer support and troubleshooting. The company published a web page that includes regular updates concerning the recovery efforts being taken. To get their customers up and running as fast as possible, Rackspace began offering them complimentary access to a Microsoft 365 plan on December 3, as a temporary measure until recovery efforts were fully implemented. They reported that two-thirds of their customers had been moved to Office 365 as of December 14. On December 18, Rackspace confirmed that all servers contained within the isolated environment had been scanned and cleaned and that all data had been fully recovered. On December 21, the company announced that they were no in the position to begin handing PST files over to their customers. A new webpage was also published outlining the involved process and answer FAQ.

PREVENTION

The resulting chaos that a high impact attack as this one presents a perfect opportunity for other scammers and cybercriminals to exploit the situation. Throughout the recovery process, Rackspace has been vigilant in alerting customers of this possibility and has provided detailed guidance to help customers discern legit requests.

  • Emails from Rackspace will only have the domain name @rackspace.com or @rackspace.co.uk without any special characters or numbers.
  • Rackspace support personnel will never request customers for login credentials or personal information

    In addition, Rackspace is reminding customers of the following basic security measures:

  • Do not open suspicious email attachments.
  • Do not click on embedded links that look suspicious.
  • Always confirm the sender’s email domain for all emails.

    As the aftermath of the attack is in its third week, the attack is proving costly. According to a recent SEC filing, Rackspace has currently assigned a $30 million loss in revenue. The final price tag is expected to be higher.