HQ/EMEAFind out how we can help your business
Rackspace, a cloud hosting provider, suffered a data breach that exposed “limited” client monitoring data after the attackers allegedly exploited a zero-day flaw in a third-party tool used by the ScienceLogic SL1 platform.
Based on reports, the third-party tool’s admins immediately created a patch to address the issue and released it to all potentially affected clients. The vice president of ScienceLogic disclosed that their investigation found a zero-day RCE flaw within a non-ScienceLogic third-party application included with the SL1 package.
However, the company declined to name the third-party software to prevent other hackers from acquiring details that might be used on different products.
ScienceLogic SL1 (previously EM7) is an IT operations platform that monitors, analyses, and automates an organisation’s infrastructure. Its services can be applied to the cloud, networks, and apps. Rackspace, a managed cloud computing provider, employs ScienceLogic SL1 to monitor its IT infrastructure and services.
Rackspace immediately halted its monitoring processes on its interface after becoming aware of the attack.
Rackspace stopped monitoring graphs on its MyRack interface after discovering suspicious behaviour. Subsequently, it immediately delivered an update to mitigate the risk.
However, the problem was worse than a brief Rackspace service status report indicated. The Register first reported that Rackspace’s SL1 system was hacked during the zero-day period, and some client information was stolen.
The discovery prompted the company to warn its customers about the hackers using the zero-day to gain access to web servers and steal limited customer monitoring data. The alleged stolen data include customer account names and numbers, customer usernames, Rackspace internally generated device IDs, device names and information, IP addresses, and AES256 encrypted Rackspace internal device agent credentials.
Furthermore, even though they encrypted these details, the company rotated the credentials as a precautionary measure. It also advised its customers that they do not require additional action to defend against the malicious behaviour that they have already addressed.
Researchers explained that businesses usually conceal their devices’ IP addresses behind content delivery networks and DDoS mitigation tools while restricting the data.
Potentially impacted users must be wary of potential attacks, as undisclosed threat actors may use the exposed IP addresses to target business equipment in DDoS assaults or other exploitation attempts.
