Rackspace monitoring knowledge stolen in ScienceLogic zero-day assault

Cloud internet hosting supplier Rackspace suffered a knowledge breach exposing “limited” buyer monitoring knowledge after menace actors exploited a zero-day vulnerability in a third-party instrument utilized by the ScienceLogic SL1 platform.

ScienceLogic confirmed to BleepingComputer that they rapidly developed a patch to handle the chance and distributed it to all impacted prospects whereas nonetheless offering help the place wanted.

“We identified a zero-day remote code execution vulnerability within a non-ScienceLogic third-party utility that is delivered with the SL1 package,” defined a press release from Jessica Lindberg, Vice President at ScienceLogic.

“Upon identification, we rapidly developed a patch to remediate the incident and have made it available to all customers globally.”

ScienceLogic declined to call the third-party utility to keep away from offering hints to different hackers, because it is perhaps used on a number of different merchandise.

The assault was first disclosed by a person on X who warned {that a} Rackspace outage from September 24 was as a result of lively exploitation within the internet hosting supplier’s ScienceLogic EM7.

“Oopsie, a zero-day remote code execution vulnerability was exploited … third-party ScienceLogic application used by Rackspace,” an account named ynezz shared on X.

“We have confirmed that the exploit of this third-party application resulted in access to three internal Rackspace monitoring webservers.”

Ynezz tweet

ScienceLogic SL1 (previously EM7) is an IT operations platform for monitoring, analyzing, and automating a corporation’s infrastructure, together with cloud, networks, and purposes.

It gives real-time visibility, occasion correlation, and automatic workflows to assist handle and optimize IT environments effectively.

Rackspace, a managed cloud computing (internet hosting, storage, IT help) firm, makes use of ScienceLogic SL1 to watch its IT infrastructure and companies.

In response to the invention of the malicious exercise, Rackspace disabled monitoring graphs on its MyRack portal till they may push an replace to remediate the chance.

Nonetheless, the scenario was worse than what a brief Rackspace service standing replace mirrored.

As first reported by The Register, Rackspace’s SL1 answer was hacked through the zero-day and a few buyer data was stolen.

In an e mail despatched to prospects and seen by The Register, Rackspace warned that the hackers exploited the zero-day to achieve entry to net servers and steal restricted buyer monitoring knowledge, together with buyer account names and numbers, buyer usernames, Rackspace internally generated gadget IDs, gadget title and knowledge, IP addresses, and AES256 encrypted Rackspace inner gadget agent credentials.

Rackspace rotated these credentials as a precaution, regardless of them being strongly encrypted, and knowledgeable prospects they wanted to take no additional motion to guard from the malicious exercise, which had been stopped.

Whereas the information is proscribed, it’s common for firms to cover their gadgets’ IP addresses behind content material supply programs and DDoS mitigation platforms. Menace actors may use the uncovered IP addresses to focus on firm’s gadgets in DDoS assaults or additional exploitation makes an attempt.

It’s unknown what number of prospects have been impacted by this breach.

BleepingComputer contacted RackSpace with additional questions however didn’t obtain a response.

Recent articles