Rackspace has reportedly suffered a supply chain attack that resulted in some internal monitoring information belonging to its clients being accessed.
Apparently, Rackspace used its own servers to host a monitoring dashboard, built by ScienceLogic, for its customers. ScienceLogic is an IT operations management platform that provides real-time monitoring, automation, and analytics for hybrid IT environments. Bundled with this monitoring dashboard came a piece of software (which ScienceLogic does not want to identify at this time) that contained a zero-day vulnerability.
“We identified a zero-day remote code execution vulnerability within a non-ScienceLogic third-party utility that is delivered with the SL1 package, for which no CVE has been issued,” a spokesperson for ScienceLogic told The Register.
Notifying the users
As it turns out, threat actors found out about this zero-day, and used it to gain access to Rackspace’s servers. There, they grabbed some internal monitoring information belonging to the company’s clients.
The Register also obtained a copy of a letter the company sent to affected customers. In it, Rackspace says that the internal monitoring information included customer account names and numbers, customer usernames, Rackspace internally generated device IDs, names and device information, device IP address, and AES256-encrypted Rackspace internal device agent credentials.
As soon as the company discovered the intrusion, it temporarily shut down its monitoring dashboard for its customers. ScienceLogic came back with a patch, and the vulnerability was fixed. Other than that, there was no additional impact. Customer performance monitoring was left untouched, and no other customer services were disrupted, it was said.
Consequently, customers need not take any action at this time. Still, Rackspace says that “in an abundance of caution”, users should rotate the Rackspace internal device agent credentials. Besides Rackspace, ScielceLogic also notified the customers of the incident.
