Rackspace’s Hosted Exchange service, which allows businesses to use Microsoft Exchange servers for email, began experiencing issues on Friday, December 2. Early in the day, the company confirmed the issues and informed customers that the Exchange environment had to be shut down due to a “significant failure.”
Rackspace revealed on Saturday, nearly 24 hours after the outage began, that the problems were caused by a “security incident.”
Rackspace has not stated whether this is a ransomware attack or another type of cyberattack, and it is also unclear whether there was any data breach involving customer or other types of information.
“The known effect is limited to a subset of our Hosted Exchange platform.” “We are taking the necessary steps to assess and protect our environments,” the company stated.
Users have been instructed to use Microsoft 365 for email services until the situation is resolved. Customers who are affected will be given free access to the service. Rackspace said in the most recent update that it had restored email services to thousands of Microsoft 365 customers.
“In order to best protect the environment, Hosted Exchange will remain unavailable for an extended period of time.” Moving to Microsoft 365 is currently the best solution for customers, and we strongly encourage affected customers to do so,” Rackspace said on Sunday.
Kevin Beaumont, a security researcher, believes the incident may have involved the exploitation of known Microsoft Exchange vulnerabilities, specifically CVE-2022-41040 and CVE-2022-41082, which are known as ProxyNotShell.
ProxyNotShell was discovered in late September after a Vietnamese cybersecurity firm discovered it being used in attacks. Microsoft confirmed the exploitation and associated the attacks with a nation-state hacker group.
The tech titan rushed to share mitigations, but experts demonstrated that they could be easily circumvented. Microsoft, on the other hand, only released patches in November.
Beaumont recently discovered that a Rackspace Exchange server cluster that is currently offline was running a build number from August 2022. Given that the ProxyNotShell flaws were only fixed in November, it’s possible that threat actors used the flaws to compromise Rackspace servers.
“Although the vulnerability requires authentication, the exploits work without multi-factor authentication because Exchange Server does not yet support Modern Authentication at all, as Microsoft prioritized the implementation work,” Beaumont wrote in a blog post.
“If you are an MSP running a shared cluster, such as Hosted Exchange, it means that one compromised account on one customer compromises the entire hosted cluster,” he added. This is a high-risk situation.”