Cloud hosting provider Rackspace has confirmed that it suffered a security breach after threat actors exploited a zero-day vulnerability in the ScienceLogic IT operations platform.
The breach, which took place on September 24, 2024, occurred when cybercriminals targeted a zero-day remote code execution vulnerability in a utility bundled with ScienceLogic's application (SL1), which Rackspace uses for internal system monitoring and customer dashboards. This flaw allowed the attackers to gain unauthorized access to Rackspace's internal monitoring web servers, which hosted critical performance monitoring tools.
Rackspace’s spokesperson told The Register that the vulnerability was not part of Rackspace's systems but rather a third-party utility packaged alongside the ScienceLogic software. Following the incident, the company disabled its monitoring solution upon discovering the attack and has since rotated internal credentials to mitigate further risk.
In a message on its status page Rackspace said that “on 24 September 2024, starting at approximately 11:40 CDT, Rackspace became aware of an issue with the ScienceLogic EM7 Portal. There will be no direct impact on monitoring services during this time, but customers will be unable to view the monitoring graphs on the MyRack portal.”
“As of 26 September 2024, we are currently testing an update that will enable us to restore ScienceLogic customer dashboards in the MyRack portal. However, we anticipate that the dashboards will remain offline until the end of this week.”
The breach impacted three of Rackspace’s internal web servers, and while there was no evidence of any direct customer service disruptions, the attackers managed to access “limited monitoring information.” This included customer account details, usernames, internally generated device IDs, device IP addresses, and AES256-encrypted device agent credentials.
In a letter sent to customers, Rackspace said that no other services, platforms, or products were affected by the breach. However, out of caution, the company began rotating the encrypted device credentials that were potentially exposed. Rackspace also assured clients that no immediate remediation steps were necessary on their part.
ScienceLogic, which provides IT infrastructure monitoring software, acknowledged the vulnerability and confirmed that a patch had been deployed to address the flaw. The company has yet to provide additional details regarding the nature of the vulnerability or how it was discovered.
