Rackspace hit by data breach after exploited Zero-day vulnerability in a third-party tool

Cloud hosting provider Rackspace experienced a data breach following the exploitation of a zero-day vulnerability in a third-party utility used within its ScienceLogic SL1 platform. The breach exposed limited customer monitoring data, including account details and encrypted internal credentials. The attack was first brought to light by a user on X (formerly Twitter) who linked a Rackspace outage on September 24 to active exploitation.

ScienceLogic, the IT operations platform provider for Rackspace, confirmed that the zero-day vulnerability existed in a non-ScienceLogic third-party utility bundled with the SL1 package. Jessica Lindberg, Vice President at ScienceLogic, stated that the company quickly developed a patch to address the issue, distributed globally to all affected customers. ScienceLogic declined to name the third-party utility to prevent further exploitation of other products.

The breach allowed attackers to access three internal monitoring web servers, compromising limited customer data, including account names, usernames, device IDs, IP addresses, and AES256-encrypted internal device credentials. While these credentials were encrypted, Rackspace rotated them as a precaution and reassured customers that no further action was required.

Despite the limited nature of the exposed data, the risk remains significant. Threat actors could potentially exploit exposed IP addresses in future DDoS attacks or additional security breaches. It remains unclear how many customers were affected by the breach.

Rackspace responded by disabling monitoring graphs on its MyRack portal to mitigate the risk, while still working on resolving the issue and pushing necessary updates to secure its systems.