A ransomware attack on the Texas-based cloud computing giant Rackspace Technology caused email outages for thousands of its customers, the company disclosed.
According to a status page posted on its website, the company said it had “powered down and disconnected its Exchange service” after a “security incident” that was isolated to its Hosted Exchange business. Rackspace said it discovered some suspicious activity on its platform and hired a leading cybersecurity firm to investigate the security incident and determine “what, if any, data was affected.”
A ransomware attack on Hosted Exchange caused Rackspace email outages
Rackspace confirmed that email outages experienced by thousands of customers resulted from a ransomware attack on its Hosted Exchange business.
“As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident,” the company said. “We have since determined this suspicious activity was the result of a ransomware incident.”
Rackspace said in an SEC filing that the ransomware attack would cause a loss of revenue in the Hosted Exchange business that generates $30 million a year in the Apps & Cross Platform segment and have other “incremental costs.”
Likely, the impacted customers would incur expenses and potentially lose business and data due to Rackspace email outages. Rackspace did not disclose the number of customers affected by the email outages and if their data was safe from unauthorized access. The cloud infrastructure company also did not reveal the identity of the ransomware group or whether it had received any ransom demands.
“This latest targeted ransomware attack on a managed cloud computing company demonstrates the immense impact these incidents can have on business success and uptime,” said Arti Raman, CEO and founder of Titaniam. “It is also a critical reminder that even the most technical organizations can eventually fall victim. It can truly happen to anyone and any company.”
However, Raman believes organizations could minimize successful ransomware attacks and subsequent data exfiltration. She recommended a “three-part solution” that includes prevention and detection solutions, data security tools such as encryption in transit to prevent large-scale exfiltration, and backup and recovery.
Rackspace migrates customers after widespread email outages
Earlier, the cloud computing company had been urging its customers to migrate from Microsoft Exchange service to Microsoft 365. However, the company warned about the demanding process of configuring each user’s email account during the migration.
Some customers resorted to hiring third-party tech support firms after the attack to facilitate the switch after unsuccessful attempts to engage the overwhelmed Rackspace customer service. Others took to social media to complain about the Rackspace email outages and the laborious task of migrating to the cloud version of the email communications suite.
Meanwhile, Rackspace began transferring its Hosted Exchange customers to reduce disruption caused by email outages. The company offered free Microsoft 365 subscriptions and mobilized a team of 1,000 support technicians in a “surge capacity” to facilitate the migration.
Rackspace claims to have transferred thousands of customers and tens of thousands of users, although many tickets remained unresolved.
According to the company, customers with archived data could import it to their Microsoft 365 account. However, only customers subscribed to Rackspace archive service were guaranteed to recover their data from the impacted platform.
The hosting company also offered an email forwarding option to reroute emails received in impacted mailboxes to an external email address during the ongoing migration.
Rackspace ransomware attack exploited the ProxyNotShell Microsoft Exchange vulnerability
Former Microsoft employee and security researcher Kevin Beaumont stated that the Rackspace ransomware attack leveraged the ProxyNotShell Microsoft Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082. A Vietnamese cybersecurity firm GTSC discovered the vulnerability in September and attributed its exploitation to nation-state hackers.
According to Beaumont, Rackspace’s Microsoft Exchange servers had build numbers predating the ProxyNotShell vulnerability. He estimated that thousands of small and medium businesses had been impacted by Rackspace email outages.