Unpatched Exchange servers could be behind Rackspace's ransomware attack, according to one researcher

A hand holding a smartphone with the Rackspace logo on it
(Image credit: Getty Images)

Rackspace's recently confirmed ransomware attack allegedly may have been facilitated by hackers exploiting the company's out-of-date Exchange clusters, according to one researcher.

The cloud computing firm confirmed the attack on 6 December had affected its hosted Microsoft Exchange environment, the fallout from which is causing service disruptions for customers.

It was suggested by security researcher Kevin Beaumont that the cyber criminals were able to launch their attack after exploiting Exchange server clusters that didn't appear to have been patched since August 2022, before the patches for the ProxyNotShell exploit were released.

In his analysis Beaumont added that Exchange log build numbers aren’t always reliable, and the breach could have happened because of other issues.

Microsoft released the patch for the ProxyNotShell vulnerability at the start of November. It implemented fixes for two security issues that affect Microsoft Exchange Server 2013, 2016, and 2019. Attackers were able to escalate privileges to run PowerShell and achieve arbitrary or remote code execution, enabling them to target server accounts. Attackers can then try to trigger malicious code.

“The Microsoft-supplied mitigations for ProxyNotShell are bypassable," said Beaumont. "IIS rewrite, which Microsoft used for mitigations, doesn’t decode all URLs correctly and as such can be bypassed for exploitation. If you relied on the PowerShell mitigation or EEMS application, your Exchange Server is still vulnerable - Microsoft just hasn't told you this clearly. The fix is to patch."

He added that the exploits function without multi-factor authentication as Exchange Server doesn’t support Modern Authentication, due to Microsoft deprioritising this implementation work.

“If you are an MSP running a shared cluster, such as hosted Exchange, it means that one compromised account on one customer will compromise the entire hosted cluster. This is high risk,” said Beaumont.

Scale of the attack

Rackspace believes the attack only affected its hosted Exchange business, and its other products and services are fully operational.

It’s committed to implementing additional security measures and is monitoring its systems for any suspicious activity. It has also hired an incident response firm to investigate the matter, alongside its internal security team.

Rackspace is helping Hosted Exchange customers to migrate their data to a new environment as rapidly as it can, it said. It has increased the amount of support staff it has to help with this and is aiming to help customers through the migration process so that their own operations aren’t impacted as much.

“Although Rackspace Technology is in the early stages of assessing this incident, the incident has caused and may continue to cause an interruption in its Hosted Exchange business and may result in a loss of revenue for the hosted Exchange business, which generates approximately $30 million of annual revenue in the apps and cross-platform segment,” said the company. “In addition, Rackspace Technology may have incremental costs associated with its response to the incident.”

Thousands of companies across the world will feel the consequences of this attack, said Jordan Schroeder, managing CISO at Barrier Networks. He said that it will also underline the duty organisations that store or host business data have to also keep it secure.

“Rackspace also must re-evaluate its defences against ransomware, because when it comes to modern threats, prevention is always better than cure,” said Schroeder. “This involves re-establishing their cyber hygiene baseline, using zero trust principles to limit the impact of breaches by protecting key accounts and preventing lateral movement, and training employees regularly on cybersecurity and the evolving threat landscape.”


The long road ahead to ransomware preparedness

Getting to the bigger truth


The company first reported that the incident began on 2 December, communicating that it was investigating an issue on its hosted Exchange environments.

Hours later, it told customers it was working through an issue with hosted Exchange accounts and that it had proactively shut down the environment to avoid further issues. It also gave customers access to Microsoft Exchange Plan 1 licences on Microsoft 365 as a temporary workaround.

The next day, Rackspace said the issue was a security incident that affected a portion of its hosted Exchange platform. On 4 December, the company said the incident was set to be an extended outage of the hosted Exchange.

It urged customers to move to Microsoft 365, saying this was the best solution. Although it said that it had restored email services to thousands of customers on Microsoft 365, it said that it understood that self-migration wasn't simple and could be challenging to implement.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.