The hackers behind the ransomware attack against cloud data provider Rackspace also gained access to the email data of a small subset of customers.
Attackers accessed the Personal Storage Table for 27 Hosted Exchange customers at Rackspace, the company reported(Opens in a new window) on Thursday. The same storage table contains calendar events, contacts and email messages, putting affected customers at serious risk of data exposure.
However, Rackspace added, “There is no evidence that the threat actor actually viewed, obtained, abused or disseminated email or data in the PSTs of any of the 27 Hosted Exchange customers in any way,” citing forensic findings from cyber security from Crowdstrike.
Texas-based Rackspace issued the update a month after a ransomware attack disrupted access to its Hosted Exchange business, which provides cloud-based email services to 30,000 clients. Rackspace is now blaming the attack on a relatively new ransomware gang called Play.
The company’s forensic investigation found that the group used a previously unknown attack method in Microsoft Exchange Server to gain access to Rackspace’s Hosted Exchange systems. The attack method is actually linked to CVE-2022-41080(Opens in a new window) vulnerability, which was disclosed in November and could give a hacker elevated privileges once inside an Exchange Server environment. However, Rackspace discovered that the hackers also used the flaw to help them execute malicious computer code over the company’s systems.
Crowdstrike discovered(Opens in a new window) Ransomware Spill exploits the same attack vector to attack victims. However, it noted that installing a November patch could stop the threat — an indicator that Rackspace was slow to install security updates for its Hosted Exchange systems.
In response to the breach, Rackspace says it will abandon its Hosted Exchange email environment. Instead, the company is continuing with existing plans to migrate customers’ accounts to Microsoft 365. In the meantime, Rackspace Email will be offered as an alternative to clients who want to remain outside of Microsoft 365.
Recommended by our editors
“While the Hosted Exchange email environment was a small part of our business, it represents thousands of long-standing and loyal customers that we greatly value,” the company added.
In addition, Rackspace has been working to restore email databases for affected customers. “As of today, more than half of affected customers have some or all of their data available for download,” the company said. “But less than 5% of those customers have actually downloaded the mailboxes we’ve made available. This indicates to us that many of our customers have data that is backed up locally, archived, or otherwise doesn’t need the historical data.”
It remains unclear whether Rackspace ever paid the ransomware gang. But no trace of the hackers has been discovered in the company’s systems since December 2.
Do you like what you read?
Sign up SecurityWatch newsletter for our best privacy and security stories delivered straight to your inbox.