Rackspace blames ransomware attack for ongoing Exchange outage

Cloud computing giant Rackspace has confirmed that it has been hit by a ransomware attack that has left a number of its customers without access to email.

Rackspace’s hosted Microsoft Exchange service started experiencing problems on Friday last week. At the time, Rackspace posted a notice on its status page saying that due to a “security incident,” it had “powered down and disconnected” the service. In an update published on Tuesday, Rackspace has confirmed that a ransomware attack is behind the ongoing outage. 

“As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident,” the company said in a statement on Tuesday. “We have since determined this suspicious activity was the result of a ransomware incident.”

Rackspace says that the investigation, led by an unnamed cyber defense firm, is in its early stages and that the company has yet to determine “what, if any, data was affected.” The company added that if it determines that sensitive information was affected, it will “notify customers as appropriate.”

When asked by TechCrunch, Rackspace spokesperson Natalie Silva declined to share any more information about the nature of the incident or how the hackers were able to compromise its systems. 

However, security researcher Kevin Beaumont believes the incident may involve exploitation of the Microsoft Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082, better known as ProxyNotShell. ProxyNotShell first came to light in August after Vietnamese cybersecurity company GTSC observed it being exploited in the wild. Microsoft confirmed exploitation the following month and linked it to a state-sponsored hacker group.

The issues affecting Rackspace’s hosted Microsoft Exchange service remains ongoing at the time of writing. The company is currently moving its Hosted Exchange customers over to Microsoft 365 to limit disruption.

Rackspace noted that the ransomware incident could result in lost revenue for its hosted exchange business, which generates about $30 million a year. The company added that it could have incremental costs associated with its response to the incident.