IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Unpatched Exchange servers could be behind Rackspace's ransomware attack, according to one researcher

One security researcher suggested the company's Exchange server build log numbers were from August, months before ProxyNotShell patches were released

Rackspace's recently confirmed ransomware attack allegedly may have been facilitated by hackers exploiting the company's out-of-date Exchange clusters, according to one researcher.

The cloud computing firm confirmed the attack on 6 December had affected its hosted Microsoft Exchange environment, the fallout from which is causing service disruptions for customers.

It was suggested by security researcher Kevin Beaumont that the cyber criminals were able to launch their attack after exploiting Exchange server clusters that didn't appear to have been patched since August 2022, before the patches for the ProxyNotShell exploit were released.

In his analysis Beaumont added that Exchange log build numbers aren’t always reliable, and the breach could have happened because of other issues.

Microsoft released the patch for the ProxyNotShell vulnerability at the start of November. It implemented fixes for two security issues that affect Microsoft Exchange Server 2013, 2016, and 2019. Attackers were able to escalate privileges to run PowerShell and achieve arbitrary or remote code execution, enabling them to target server accounts. Attackers can then try to trigger malicious code.

“The Microsoft-supplied mitigations for ProxyNotShell are bypassable," said Beaumont. "IIS rewrite, which Microsoft used for mitigations, doesn’t decode all URLs correctly and as such can be bypassed for exploitation. If you relied on the PowerShell mitigation or EEMS application, your Exchange Server is still vulnerable - Microsoft just hasn't told you this clearly. The fix is to patch."

He added that the exploits function without multi-factor authentication as Exchange Server doesn’t support Modern Authentication, due to Microsoft deprioritising this implementation work.

“If you are an MSP running a shared cluster, such as hosted Exchange, it means that one compromised account on one customer will compromise the entire hosted cluster. This is high risk,” said Beaumont.

Scale of the attack

Rackspace believes the attack only affected its hosted Exchange business, and its other products and services are fully operational.

It’s committed to implementing additional security measures and is monitoring its systems for any suspicious activity. It has also hired an incident response firm to investigate the matter, alongside its internal security team. 

Rackspace is helping Hosted Exchange customers to migrate their data to a new environment as rapidly as it can, it said. It has increased the amount of support staff it has to help with this and is aiming to help customers through the migration process so that their own operations aren’t impacted as much. 

“Although Rackspace Technology is in the early stages of assessing this incident, the incident has caused and may continue to cause an interruption in its Hosted Exchange business and may result in a loss of revenue for the hosted Exchange business, which generates approximately $30 million of annual revenue in the apps and cross-platform segment,” said the company. “In addition, Rackspace Technology may have incremental costs associated with its response to the incident.”

Thousands of companies across the world will feel the consequences of this attack, said Jordan Schroeder, managing CISO at Barrier Networks. He said that it will also underline the duty organisations that store or host business data have to also keep it secure.

“Rackspace also must re-evaluate its defences against ransomware, because when it comes to modern threats, prevention is always better than cure,” said Schroeder. “This involves re-establishing their cyber hygiene baseline, using zero trust principles to limit the impact of breaches by protecting key accounts and preventing lateral movement, and training employees regularly on cybersecurity and the evolving threat landscape.”

Related Resource

The long road ahead to ransomware preparedness

Getting to the bigger truth

Whitepaper cover with title and image of road with speeding light graphicsFree Download

The company first reported that the incident began on 2 December, communicating that it was investigating an issue on its hosted Exchange environments.

Hours later, it told customers it was working through an issue with hosted Exchange accounts and that it had proactively shut down the environment to avoid further issues. It also gave customers access to Microsoft Exchange Plan 1 licences on Microsoft 365 as a temporary workaround.

The next day, Rackspace said the issue was a security incident that affected a portion of its hosted Exchange platform. On 4 December, the company said the incident was set to be an extended outage of the hosted Exchange.

It urged customers to move to Microsoft 365, saying this was the best solution. Although it said that it had restored email services to thousands of customers on Microsoft 365, it said that it understood that self-migration wasn't simple and could be challenging to implement.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

Google to cut global workforce by 12,000 roles
Careers & training

Google to cut global workforce by 12,000 roles

20 Jan 2023
Windows 11 System Restore bug preventing users from accessing apps
Microsoft Windows

Windows 11 System Restore bug preventing users from accessing apps

19 Jan 2023
Microsoft releases scripts to restore shortcuts deleted in faulty Windows Defender update
Microsoft Windows

Microsoft releases scripts to restore shortcuts deleted in faulty Windows Defender update

16 Jan 2023
Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts
Microsoft Windows

Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts

13 Jan 2023

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023