The hackers behind the ransomware attack on cloud computing provider Rackspace also accessed the email data of a small subset of customers.
Attackers had access to the Personal Storage Table for 27 Hosted Exchange customers on Rackspace, the company reported(Opens in a new window) on Thursday. The same storage table contains calendar events, contacts, and email messages, putting affected customers at serious risk of data exposure.
However, Rackspace added: “There is no evidence that the threat actor actually viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way,” citing forensic findings from cybersecurity from Crowdstrike.
Texas-based Rackspace provided the update a month after a ransomware attack disrupted access to its Hosted Exchange business, which offers cloud-based email services to 30,000 clients. Rackspace is now blaming the attack on a relatively new ransomware gang called Play.
The company’s forensic investigation found that the group used a previously unknown attack method in Microsoft Exchange Server to gain access to Rackspace’s Hosted Exchange systems. The attack method is actually connected to the CVE-2022-41080(Opens in a new window) vulnerability, which was disclosed in November and can give a hacker elevated privileges once inside an Exchange Server environment. However, Rackspace discovered the hackers also used the flaw to help them execute rogue computer code over the company’s systems.
Crowdstrike spotted(Opens in a new window) the ransomware gang Play exploiting the same attack vector to attack victims. However, it noted that installing a November patch can stop the threat—an indicator that Rackspace was slow to install security updates for its Hosted Exchange systems.
In responding to the breach, Rackspace says it will abandon its Hosted Exchange email environment. Instead, the company is proceeding with existing plans to migrate customers’ accounts to Microsoft 365. Meanwhile, Rackspace Email will be offered as an alternative to clients, who wish to remain off Microsoft 365.
Recommended by Our Editors
“While the Hosted Exchange email environment was a small part of our business, it represents thousands of long-time and loyal customers whom we deeply value,” the company added.
In addition, Rackspace has been working to recover email databases for affected customers. “As of today, more than half of impacted customers have some or all of their data available to them for download,” the company said. “However, less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data.”
It remains unclear if Rackspace ever paid the ransomware gang. But no trace of the hackers have been detected in the company’s systems since Dec. 2.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.