Final Update from Rackspace - and confirmation Hosted Exchange email environment will NOT be rebuilt
Friday, 6th January, 2023
Final Update from Rackspace - Hosted Exchange Disruption
01/05/2023 05:41 PM EST
Our Racker team has been hard at work over the holidays and into the New Year to support recovery efforts. We have recently completed our forensic investigation and are now in a position to share more information about the root cause and full scope of the incident.
While there has been widespread speculation that the root cause of this incident was the result of the ProxyNotShell exploit, we can now definitively state that is not accurate. We have been diligent about this forensic investigation and prioritizing accuracy and precision in everything we say and do, because our credibility is important to us at Rackspace.
The forensic investigation determined that the threat actor, known as PLAY, used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment. This zero-day exploit is associated with CVE-2022-41080. Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable.
We urge all organizations and security teams to read the blog CrowdStrike recently published about this exploit and learn how to take action to protect your own organization, available at https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/. We will be sharing more detailed information with our customers and peers in the security community so that, collectively, we can all better defend against these types of exploits in the future.
As a reminder, no other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident.
Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table ("PST") of 27 Hosted Exchange customers. We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way. Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.
Notably, this information does not impact the ongoing process of recovering historical email data for our Hosted Exchange email customers. As of today, more than half of impacted customers have some or all of their data available to them for download. However, less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data. We will continue working to recover all data possible as planned, however, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data. We expect that the on-demand solution will be available within two weeks.
As a reminder, we are proactively notifying customers for whom we have recovered greater than 50% of their mailboxes. Those PST files are now available through the customer portal. To check if your historical email data is available, please follow Step 2 on our Data Recovery Resources page (https://www.rackspace.com/hosted-exchange-incident-data-recovery-resources) and see if your mailbox is ready to download. As a reminder, we have prepared additional support resources that are available on our landing page (https://www.rackspace.com/hosted-exchange-incident), but if your data is available and you are having trouble downloading it, please contact our support channels by either joining us in chat or by calling +1 (855) 348-9064 (INTL: +44 (0) 203 917 4743). and we will be happy to assist you.
Finally, the Hosted Exchange email environment will not be rebuilt as a go-forward service offering. Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionality. There will be no price increase for our Hosted Exchange customers if they choose to move to Microsoft 365 and select a plan with the same capabilities as they currently have. Every Hosted Exchange customer has the option to migrate and pay exactly what they are paying today or even slightly lower costs and have the same capabilities. Also, Rackspace Email continues to be unaffected and is an alternative option for customers who do not wish to migrate to Microsoft 365. Rackspace will continue to assist customers with choosing the best plan to meet their needs depending on the capabilities required for their businesses.
As the forensic investigation has now concluded, we will no longer be posting updates to this status page. Our customer support teams will continue to work directly with customers to make their data available for download and remain on standby for any additional customer questions. Data recovery for our customers remains the top priority for Rackspace, and we will continue to work around the clock on this effort.
While the Hosted Exchange email environment was a small part of our business, it represents thousands of long-time and loyal customers whom we deeply value. We sincerely thank all of our Hosted Exchange customers for their continued patience and trust in us throughout this process and will continue to work hard to maintain the relationships we have built with them over the years.