Cloud hosting provider Rackspace suffered a data breach exposing “limited” customer monitoring data after threat actors exploited a zero-day vulnerability in a third-party tool used by the ScienceLogic SL1 platform.
ScienceLogic confirmed to BleepingComputer that they quickly developed a patch to address the risk and distributed it to all impacted customers while still providing assistance where needed.
“We identified a zero-day remote code execution vulnerability within a non-ScienceLogic third-party utility that is delivered with the SL1 package,” explained a statement from Jessica Lindberg, Vice President at ScienceLogic.
Upon identification, we rapidly developed a patch to remediate the incident and have made it available to all customers globally.”
ScienceLogic declined to name the third-party utility to avoid providing hints to other hackers, as it might be used on several other products.
The attack was first disclosed by a user on X who warned that a Rackspace outage from September 24 was due to active exploitation in the hosting provider’s ScienceLogic EM7.
“Oopsie, a zero-day remote code execution vulnerability was exploited … third-party ScienceLogic application used by Rackspace,” an account named ynezz shared on X.
“We have confirmed that the exploit of this third-party application resulted in access to three internal Rackspace monitoring webservers.”
ScienceLogic SL1 (formerly EM7) is an IT operations platform for monitoring, analyzing, and automating an organization’s infrastructure, including cloud, networks, and applications.
It provides real-time visibility, event correlation, and automated workflows to help manage and optimize IT environments efficiently.
Rackspace, a managed cloud computing (hosting, storage, IT support) company, uses ScienceLogic SL1 to monitor its IT infrastructure and services.
In response to the discovery of the malicious activity, Rackspace disabled monitoring graphs on its MyRack portal until they could push an update to remediate the risk.
However, the situation was worse than what a short Rackspace service status update reflected.
As first reported by The Register, Rackspace’s SL1 solution was hacked via the zero-day and some customer information was stolen.
In an email sent to customers and seen by The Register, Rackspace warned that the hackers exploited the zero-day to gain access to web servers and steal limited customer monitoring data, including customer account names and numbers, customer usernames, Rackspace internally generated device IDs, device name and information, IP addresses, and AES256 encrypted Rackspace internal device agent credentials.
Rackspace rotated those credentials as a precaution, despite them being strongly encrypted, and informed customers they needed to take no further action to protect from the malicious activity, which had been stopped.
While the data is limited, it is common for companies to hide their devices’ IP addresses behind content delivery systems and DDoS mitigation platforms. Threat actors could use the exposed IP addresses to target company’s devices in DDoS attacks or further exploitation attempts.
It is unknown how many customers have been impacted by this breach.
Update 10/2 – A RackSpace spokesperson has sent BleepingComputer the following information:
On September 24th, 2024, Rackspace discovered a zero-day remote code execution vulnerability in a non-Rackspace utility that is packaged and delivered by the third-party ScienceLogic application (known as SL1). This was not a Rackspace vulnerability. Rackspace utilizes the ScienceLogic application internally to provide system monitoring of some (but not all) Rackspace services.
The system improperly accessed, as a result of exploitation of the SL1 vulnerability, is a Rackspace system used for generating internal performance reporting and is internal to Rackspace. Our forensic investigation identified no access to customer configurations, or their hosted data.
Rackspace immediately notified ScienceLogic of their vulnerability. Rackspace worked with ScienceLogic to ensure development of a patch to remediate their vulnerability, and ScienceLogic has now made it available to all of their customers globally.
Limited performance monitoring information of low-security sensitivity was improperly accessed. Out of an abundance of caution, all impacted customers have been notified. No remediation steps are required from customers.
Rackspace’s monitoring functionality is not dependent on the ScienceLogic dashboard, and our Rackspace customer performance monitoring was not impacted by this event. There was no interruption to our monitoring and alerting services for our customers.
The only service impact to customers was the inability to access their associated ScienceLogic monitoring dashboard, which is an optional service feature infrequently utilized by some customers. – Rackspace spokesperson
