Exclusive Rackspace has told customers intruders exploited a zero-day bug in a third-party application it was using, and abused that vulnerability to break into its internal performance monitoring environment. That intrusion forced the cloud-hosting outfit to temporarily take its monitoring dashboard offline for customers.
"On September 24, 2024, Rackspace discovered a zero-day remote code execution vulnerability in a non-Rackspace utility, that is packaged and delivered alongside the third-party ScienceLogic application," a spokesperson for the IT provider told The Register Monday. It not only discovered that flaw, it found it had been exploited.
Rackspace uses this ScienceLogic app internally for system monitoring. ScienceLogic, which supplies IT infrastructure monitoring, did not immediately respond to a request for comment.
Abusing this vulnerability gave the criminals access to three of Rackspace's internal monitoring webservers, "and some limited monitoring information," the RackSpace spokesperson told us, adding:
A letter sent to Rackspace customers and shared earlier with The Register by a reader provides additional details about what the crooks accessed. It notes that "limited" internal monitoring information included: Customer account names and numbers, customer usernames, Rackspace internally generated device IDs, names and device information, device IP addresses, and AES256 encrypted Rackspace internal device agent credentials.
We've asked Rackspace for more details, such as how many customers were affected, regarding this cyber close shave.
- How much to clean up a ransomware infection? For Rackspace, about $11M
- Rackspace customers rage as email outage continues and migrations create migraines
- Ransomware forces hospital to turn away ambulances
- T-Mobile US to cough up $31.5M after that long string of security SNAFUs
The letter customers received also says there is no need for them to take any remediation steps, but "in an abundance of caution, we commenced rotation of the Rackspace internal device agent credentials."
"There was no other customer service disruption as a result of this event," the biz told its clients. "No other Rackspace products, platforms, solutions, or businesses were affected by this event. We have actively notified all affected customers and are updating customers as appropriate."
Rackspace also assured us that upon spotting the security breach, it immediately isolated the affected equipment, took them offline, and then worked with ScienceLogic to develop and apply a patch.
"ScienceLogic has notified their customers, and we have actively notified Rackspace customers utilizing this third-party monitoring service," the spokesperson said.
In December 2022, the IT provider's hosted Microsoft Exchange service was hit by a ransomware attack, which shut down email services to thousands of customers, most of whom were small and mid-sized businesses.
The company's expenses related to the cyberattack, also due to a zero-day exploit, hit about $11 million, Rackspace said in a 2023 regulatory filing. ®