Description

Rackspace is a managed cloud computing provider based in San Antonio, Texas, that offers cloud hosting, dedicated servers, and multi-cloud solutions. The company servers than 300,000 customers across the world, including two-thirds of the world’s largest public traded companies. On the morning of September 24, 2024, Rackspace fell victim to a cyberattack that exploited a zero-day vulnerability in a monitoring application provided by ScienceLogic. The breach was initially traced to ScienceLogic’s flagship SL1 software, but ScienceLogic later clarified that the vulnerability existed in an undocumented third-party utility bundled with their SL1 package. A threat actor exploited the undocumented zero-day vulnerability and was able to gain access to monitoring information that included customer account names and numbers, customer usernames, device information, IP information and encrypted Rackspace internal device agent credentials.

 

Identify Indicators of Compromise (IoCs)

A user on X first highlighted the breach by connecting a Rackspace outage on September 24 to the exploitation of ScienceLogic’s EM7 platform. Rackspace alerted ScienceLogic, whose investigation revealed a zero-day vulnerability in an unnamed third-party application bundled with their software. ScienceLogic has chosen to withhold the third-party software’s identity to prevent other hackers from acquiring details that might be used on different products.

 

Containment (If IoCs are Identified)

ScienceLogic responded quickly by developing and distributing a patch to address the vulnerability and made the patch available to all their global customers. As a precaution, Rackspace reset any exposed credentials even though they were properly encrypted. Rackspace reported that the incident did not impact customer performance monitoring or core services other than the inability for customers to access their associated monitoring dashboard. Rackspace notified all their customers of the incident by letter and has assured them that no further action is required, as the malicious activity has been contained.

 

Prevention

The incident highlights the complexities and risks associated with using third-party software in critical infrastructure. In this case, the attack involved multiple supply chains, showing how bundled software can create unexpected entry points for attackers, even when the primary application is secure. Some of the security measures that should be taken to prevent or mitigate similar incidents today include the following:

  • Implement regular vulnerability scanning on all systems to identify potential vulnerabilities early. This includes third-party components.
  • Conduct thorough vetting of all third-party suppliers and conduct rigorous security assessments of all supplied components including software, hardware and third-party utilities.
  • Enforce the principle of least privilege (PoLP) by limiting access rights for all applications and users to the necessary minimum to restrict potential access and movement by an attacker.
  • Ensure all systems are promptly updated when patches become available to maintain overall security.
  • Maintain open communication channels between software providers and their third-party vendors for faster identification and patching of vulnerabilities.

HALOCK can help you not only prevent such incidents on your network but also avoid the ensuing vendor blame game that often follows. By implementing their comprehensive security measures and protocols, organizations can better protect their systems and foster accountability among all parties involved and establish reasonable security as regulations require.

HALOCK Breach Bulletin Learn about other cyber updates, risks, attacks, and litigation.


HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.