12/7/2022 Update: Rackspace now acknowledges they have been the victim of a Ransomware Attack. Tues. Dec. 6th they confirm the following incident facts:
- The Attack was limited to their Hosted Exchange platform.
- They immediately brought in a “leading cyber defense firm”.
- They’ve implemented additional security measures in an “abundance of caution”.
- They continue to help customers migrate to a new environment (outside Hosted Exchange).
Summary: Rackspace’s Disaster Recovery Plan (DRP) seems to have failed them. That or they want to exit the Hosted Exchange services ($30 million last year) and move folks to Microsoft 365 environments. CyberHoot recommends migrating to M365 but not necessarily through Rackspace.
Publication Date: 12/6/2022
CyberHoot has been monitoring a security incident at Rackspace since the morning of December 2nd that has resulted in widespread email outages for their hosted Exchange clients. As of this moment, 4 days into the incident, Rackspace has not been forthcoming in their Incident Response Blog on the extent, root cause, or firm timeline for resumption of services in hosted Exchange. Instead, they’ve encouraged all clients to migrate to Microsoft O365 off of their hosted Exchange platforms.
All email flowing through Rackspace hosted Exchange has been taken offline while Rackspace battles the incident. MSPs have had to scramble with temporary fixes such as forwarding all incoming email to a different email provider or re-provisioning under a Rackspace IMAP services in a separate enclave still within their hosting service environment. Still others MSPs are migrating off hosted Exchange entirely and over to Microsoft O365 with Rackspace or other providers such as Sherweb’s O365 Services.
How did we get here?
Speculation abounds as to what has happened, however, CyberHoot will not make any speculative statements here. What we will do is report the facts of the situation. When we know definitively what happened, we’ll update this section in this article.
What should you be doing?
By now, you’ve set up forwarding rules for your impacted clients. That’s a start. Otherwise, you might consider a whole-scale migration to Microsoft O365 or Google Workspace. In all cases, you must confirm that wherever your email services end up residing, you must enable 2FA authentication into the accounts to prevent Business Email Compromise from impacting your company or your clients.
You should also be planning a migration of hosted Exchange services from any and all providers. According to multiple sources, O365 is the more secure, feature rich, and consistent environment for end users. CyberHoot’s review of multiple review websites found consistently that “Office 365 as a whole is a safer and more reliable solution than hosted Exchange” (Source). While this current Rackspace outage is a single incident, it does cast a deep shadow/question mark on hosted Exchange provider security. CyberHoot recommends you evaluate a migration off hosted Exchange services towards O365 or similar (Google Workspace) as soon as you can, or immediately migrate to O365 if you’re impacted by the Rackspace incident.