Ransomware attack reveals the need for a response plan.
Rackspace, one of the leading remaining providers of Hosted Exchange, experienced an outage beginning December 2, 2022, declared it a security incident on December 3, and has been encouraging customers to move to Exchange Online from Microsoft. On the morning of December 6, Rackspace acknowledged that the incident was related to ransomware.
For every professional responsible for ensuring critical cloud infrastructure availability, this is an opportunity to evaluate the use of legacy hosting and to beef up incident response (IR) and disaster recovery (DR) plans to be prepared for potential outages or incidents.
Your IR and DR plans should include scenarios in which your cloud provider is unavailable. Incidents and outages of this magnitude are exceedingly rare and unlikely for hyperscalers like Microsoft and Amazon Web Services, but that doesn’t mean they are immune from them. Preparations are crucial for even minor outages and incidents, such as normal service interruptions or local compromise of your own tenant.
Questions to Consider for Your DR and IR Plans
These questions can help jumpstart your DR and IR thinking and planning:
- What critical applications and services are running on which cloud or clouds? (In the case of Rackspace, email was down, which dealt a crushing blow to organizations hosted on HEX, not just for communications but also the files shared via email.)
- How are you backing up your critical data?
- How do you restore it?
- How much downtime can the company survive?
- How much downtime do you tolerate before enacting a disaster recovery process?
- Who is your backup provider going to be?
- How are you going to get critical data into that backup provider?
- How are you going to get users up and running?
- How are you (the IT administrators and incident responders) going to communicate if your primary communication tools are compromised or unavailable?
Once the proposed answers have been addressed in your DR and IR plans, test your plans. Practice pulling data from your backup provider and importing it into test accounts. Test your backup communication lines, and make sure the new systems will perform in a way that enables the business to keep moving forward.
Even if you’re in the cloud, you still need backup. Most small and medium-sized businesses (SMBs) and large enterprises leverage Microsoft 365 for their communications, collaboration, and security. However, third-party backups, at a minimum, are non-negotiable. Data needs to be in more than one place, always.
Key Cybersecurity Considerations
From the outside, it’s impossible to know the full extent of the Rackspace security incident. Given the available communications from the company and the nature of the incident, I would make the following assumptions and recommendations:
- There is no indication that data in the Rackspace environment is recoverable. Customers should be prepared to move forward without it. For those Rackspace customers using Outlook, Microsoft provides an option to export a PST file of cached data. This likely won’t be the entire mailbox, but it’s better than nothing.
- It is likely that credentials used in the environment were compromised. Take an “assume compromise” approach, and any passwords used on Rackspace’s environment should not be used anywhere else (this should also be passed down to all users).
- Take the same “assume compromise” approach when it comes to the data stored within that environment. There’s no way of knowing exactly which data was or wasn’t exfiltrated. As a result, you must assume all data in the Hosted Exchange environment is no longer confidential and take appropriate action.
- The directory data within the Exchange environment is also likely compromised. Depending on what was filled out, names and emails were likely taken, at a minimum. It’s also possible that job titles, personal phone numbers, supervisory relationships, and other valuable intelligence were taken. Users should be hyper-vigilant for business email compromise, spear phishing, and other highly-targeted attacks.
Time to Modernize?
The Hosted Exchange model was the original “cloud business email” but has suffered from a lack of innovation in recent years. As demonstrated here, it doesn’t provide a great level of isolation and is subject to total compromise.
This incident might just be the “shot heard ‘round the world” for legacy hosting, and it may be time to move to modern cloud-native environments like Microsoft 365.
How Can Pax8 Help?
Pax8 can assist in multiple ways. Your channel account manager and account team can help order the right licensing to get your clients moved to Microsoft as soon as possible.
In addition, Pax8 Professional Services is offering an emergency tenant setup service at no cost to partners impacted by this incident through December 31, 2022, and can help get your clients set up on Microsoft 365. Schedule a call or reach out to your channel account manager for more information.
