Rackspace monitoring systems rocked by zero-day

Intruders accessed internal web servers via tool bundled with ScienceLogic, 'limited' info taken, customers told not to worry

Exclusive Rackspace has told customers intruders exploited a zero-day bug in a third-party application it was using, and abused that vulnerability to break into its internal performance monitoring environment.

That intrusion forced the cloud-hosting outfit to temporarily take its monitoring dashboard offline for customers.

"On September 24, 2024, Rackspace discovered a zero-day remote code execution vulnerability in a non-Rackspace utility, that is packaged and delivered alongside the third-party ScienceLogic application," a spokesperson for the IT provider told The Register Monday.

In fact, it not only discovered that flaw in the third-party utility, it realized it had been exploited.

Rackspace uses this ScienceLogic stack internally for system monitoring. ScienceLogic, which supplies IT infrastructure observation software, did not immediately respond to a request for more information.

Abusing this vulnerability gave the criminals access to three of Rackspace's internal monitoring webservers, "and some limited monitoring information," the RackSpace spokesperson told us, adding:

Customer performance monitoring was not impacted by this event. The only impact to customers was the inability to access their associated monitoring dashboard. There was no other customer service disruption as a result of this event.

A letter sent to Rackspace customers and shared earlier with The Register by a reader provides additional details about what the crooks accessed. It notes that "limited" internal monitoring information included: Customer account names and numbers, customer usernames, Rackspace internally generated device IDs, names and device information, device IP addresses, and AES256 encrypted Rackspace internal device agent credentials.

We've asked Rackspace for more details, such as how many customers were affected, regarding this cyber close shave. 

The letter customers received also says there is no need for them to take any remediation steps, but "in an abundance of caution, we commenced rotation of the Rackspace internal device agent credentials."

"There was no other customer service disruption as a result of this event," the biz told its clients. "No other Rackspace products, platforms, solutions, or businesses were affected by this event. We have actively notified all affected customers and are updating customers as appropriate."

Rackspace also assured us that upon spotting the security breach, it immediately isolated the affected equipment, took them offline, and then worked with ScienceLogic to develop and apply a patch. 

"ScienceLogic has notified their customers, and we have actively notified Rackspace customers utilizing this third-party monitoring service," the spokesperson said.

In December 2022, the IT provider's hosted Microsoft Exchange service was hit by a ransomware attack, which shut down email services to thousands of customers, most of whom were small and mid-sized businesses.

The company's expenses related to the cyberattack, also due to a zero-day exploit, hit about $11 million, Rackspace said in a 2023 regulatory filing. ®

Updated to add at 0100 UTC, September 30

While we continue to press ScienceLogic to identify the third-party application that was exploited, the biz has told us the vulnerable program was bundled with its SL1 monitoring product, and that it is pushing out a fix to its clients.

"We identified a zero-day remote code execution vulnerability within a non-ScienceLogic third-party utility that is delivered with the SL1 package, for which no CVE has been issued," a spokesperson for ScienceLogic told us.

"Upon identification, we rapidly developed a patch to remediate the incident and have made it available to all customers globally. We are focused on assisting our customers in implementing the fix to minimize their risk. We will continue to update customers as appropriate."