Rackspace has confirmed that it was hit by ransomware. The incident on December 2 affected its hosted Microsoft Exchange offering, leaving hundreds of thousands of customer email inboxes inaccessible.
The scale of the attack is significant. Rackspace said its Hosted Exchange business generates $30 million in annual revenue – but has refused to answer questions about how many customers were affected.
Cached Google information on Rackspace pricing suggests that the company charges $11 per account/month, or $132/account/year, which would equate to approximately 227,000 hosted Exchange mailboxes hit.
UPDATED January 2023: Rackspace says 30,000 customers were affected. See our report here.
Rackspace ransomware attack: “Too early” to say if data lost
“Our investigation is still in its early stages, and it is too early to say what, if any, data was affected. If we determine sensitive information was affected, we will notify customers as appropriate,” Rackspace said.
Worryingly for those keen to retrieve their emails in the wake of the Rackspace ransomware attack, the company said it is “unable to provide a timeline for restoration of the Hosted Exchange environment.”
In better news for customers, a dedicated separate archiving service was unaffected and those who had paid extra for that appear to have been able to restore emails. Restoration challenges suggest Rackspace may not have had easily accessible, segmented and immutable backups for Microsoft Exchange customers by default.
Security researcher Kevin Beaumont suggested that the company had failed to fully patch against Microsoft’s “ProxyNOTShell” vulnerability in Exchange Server, saying that Shodan data showed a Rackspace hosted Microsoft Exchange build number from August 2022, before the ProxyNotShell patches became available.
He added: “Microsoft supplied mitigations for ProxyNotShell are bypassable. IIS Rewrite, which Microsoft used for mitigations, doesn’t decode all URLs correctly and as such can be bypassed for exploitation.
“If you relied on the PowerShell mitigation or EEMS application, your Exchange Server is still vulnerable – Microsoft just haven’t told you this clearly. The fix is to patch. Although the vulnerability needs authentication, the exploits work without multi-factor authentication as Exchange Server doesn’t yet support Modern Authentication at all, as Microsoft deprioritised the implementation work… If you are an MSP running a shared cluster… one compromised account on one customer will compromise the entire hosted cluster.”
Rackspace has not named the ransomware type/group responsible.
Among the many prolific new ransomware types is Hive, which has generated nearly $6 million per month for cybercriminals since June 2021, making successful attacks on over 1,300 victims, US agencies warned in November. Hive is typically dropped after attackers access a network via a phishing email, exposed RDP, exploitation of unpatched software (FortiOS vulnerability CVE-2020-12812 and Microsoft Exchange’s ProxyShell vulnerabilities have been favourites; there will be others) or leaked VPN creds (i.e. all of the many common ways machines and networks are breached.) Like most sophisticated ransomware payloads, Hive ransomware runs processes that kill off a sweeping array of antivirus/EDR tools, delete backups and prevent recovery. It disables “all portions of Windows Defender and other common antivirus programs in the system registry” said US cybersecurity agency CISA.