Enterprise cloud host Rackspace has been hacked via a zero-day flaw in ScienceLogic’s monitoring app, with ScienceLogic shifting the blame to an undocumented vulnerability in a different bundled third-party utility.
The breach, flagged on September 24, was traced back to a zero-day in ScienceLogic’s flagship SL1 software but a company spokesperson tells SecurityWeek the remote code execution exploit actually hit a “non-ScienceLogic third-party utility that is delivered with the SL1 package.”
“We identified a zero-day remote code execution vulnerability within a non-ScienceLogic third-party utility that is delivered with the SL1 package, for which no CVE has been issued. Upon identification, we rapidly developed a patch to remediate the incident and have made it available to all customers globally,” ScienceLogic explained.
ScienceLogic declined to identify the third-party component or the vendor responsible.
The incident, first reported by the Register, caused the theft of “limited” internal Rackspace monitoring information that includes customer account names and numbers, customer usernames, Rackspace internally generated device IDs, names and device information, device IP addresses, and AES256 encrypted Rackspace internal device agent credentials.
Rackspace has notified customers of the incident in a letter that describes “a zero-day remote code execution vulnerability in a non-Rackspace utility, that is packaged and delivered alongside the third-party ScienceLogic application.”
The San Antonio, Texas hosting company said it uses ScienceLogic software internally for system monitoring and providing a dashboard to users. However, it appears the attackers were able to pivot to Rackspace internal monitoring web servers to pilfer sensitive data.
Rackspace said no other products or services were impacted.
This incident follows a previous ransomware attack on Rackspace‘s hosted Microsoft Exchange service in December 2022, which resulted in millions of dollars in expenses and multiple class action lawsuits.
In that attack, blamed on the Play ransomware group, Rackspace said cybercriminals accessed the Personal Storage Table (PST) of 27 customers out of a total of nearly 30,000 customers. PSTs are typically used to store copies of messages, calendar events and other items associated with Microsoft Exchange and other Microsoft products.
Related: Rackspace Completes Investigation Into Ransomware Attack
Related: Play Ransomware Gang Used New Exploit Method in Rackspace Attack
Related: Rackspace Hit With Lawsuits Over Ransomware Attack
Related: Rackspace Confirms Ransomware Attack, Not Sure If Data Was Stolen
