Rackspace has confirmed personal data of customers was accessed in a ransomware attack by the PLAY cybercrime gang. The company said it will not be restoring its managed Microsoft Exchange Server environment following the breach in December. But this latest update is unlikely to satisfy disgruntled clients who have been without access to email servers for weeks.

Rackspace ransomware
Rackspace has released the results of an investigation into the recent ransomware attack on its servers (pic: T.Schneider/Shutterstock)

Multicloud provider Rackspace announced the results of an investigation into the cyberattack. Twenty-seven personal storage tables were accessed by the criminals using zero-day exploit CVE-2022-41080, according to the probe by security vendor Crowdstrike.

More than half of affected customers now have their data back, Rackspace says. “Less than 5% of those customers have actually downloaded the mailboxes we have made available,” the company said in an update posted Friday. “This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data,” it said. 

The update went on to announce that the hosted Microsoft Exchange environment would not be offered as a service to new customers. “Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionality,” Rackspace said. “There will be no price increase for our Hosted Exchange customers if they choose to move to Microsoft 365 and select a plan with the same capabilities as they currently have.”

The Rackspace update does little to help affected customers

The attack on 2 December impacted 30,000 Rackspace customers, with most left without email capabilities or historical data for weeks. 

In a regulatory filing, the company said that the cyberattack was going to affect less than 1% of customers “and is comprised of primarily small and medium businesses who solely use this product. No other Rackspace products, platforms, solutions or businesses were affected or are experiencing downtime during this incident,” the filing says. 

Rackspace’s approach to the breach has left many customers, particularly small businesses, frustrated, and this latest update is unlikely to change that, says Brian Higgins, security specialist at cybersecurity product comparison site Comparitech. “This is a bit of ‘well it could have been worse’ PR-speak,” Higgins says. “If this attack wasn’t serious for the affected users they’d all be happily emailing their customers again by now and making money. The fact that they are the only 1% [of Rackspace customers] who are suffering is really not going to make anyone feel better.”

Furthermore, Rackspace has been keen to point out that Microsoft’s initial disclosure of the vulnerability said it was only capable of allowing a privilege escalation attack, allowing unauthorised access to data, rather than a remote code execution attack, which enables the criminals to take unauthorised control of a machine. “This struck me as cyber-semantics given the circumstances,” Higgins says. “Rackspace is trying to shift a bit of culpability onto the Microsoft disclosure descriptions of the methodologies used to mount this attack but there seems little point as none of this will help any of the affected customers.

“They are clearly having some trouble restoring data to their affected clients so at this point nobody really cares how the criminals did it, they just want it fixed,” notes Higgins.

Rackspace cyberattack and the wider problems with Microsoft Exchange

The issues that caused this attack cannot be fixed easily as they are a symptom of a much wider problem, Higgins adds. “The PLAY gang’s success is a symptom of the ‘first to market – fix it later’ tech business model that all of the major platform providers operate,” he says. “They are content to run potentially vulnerable code if it gets their apps and products selling, and rely on patching to fix any bugs, however serious, as they come to light through user experience. I can’t imagine the boffins at Microsoft will be all that bothered by what, for them, is just another bug fix.”

Microsoft Exchange is an ageing system with legacy software that is so entrenched in organisations around the globe that it is very hard to fix. There are 300,000 physical mailbox servers and 7.3 billion online inboxes worldwide. The service is nearly 30 years old and runs on some legacy code that is full of vulnerabilities. These cannot be fixed quickly, explained Allan Liska, cybersecurity lead at security company Recorded Future.

“Unfortunately for Microsoft, starting with Chinese hackers back in 2020, attackers have realised that these servers have a lot of vulnerabilities,” Liska says. “Once bad guys find vulnerabilities like these, especially something that will provide remote access, then they all swarm to that product.” 

He adds: “Microsoft Exchange is integral to customers that have it, to the teams that use it and it makes Microsoft a lot of money. It’s hard to say ‘oh well we’ll just get rid of it’. Despite the vulnerabilities, too many people rely on it.”

Read more: Fake Microsoft Exchange zero-day exploits on sale