Rackspace Says Zero-Day Data Breach Occurred Due to Third-Party Vendor ScienceLogic

• Rackspace disclosed a zero-day remote code execution vulnerability was exploited in a recent data breach that impacted the company.
• The announcement said the fault lies with a third-party utility belonging to ScienceLogic.
• Rackspace has also released emergency patches for the affected versions.

American cloud computing giant Rackspace suffered a data breach involving a zero-day exploit traced to ScienceLogic's SL1 software. The security incident was detected on September 24 and initially linked to a zero-day vulnerability within ScienceLogic’s flagship monitoring app, reports say.

However, ScienceLogic has since indicated that the root cause was an undocumented flaw in a third-party utility bundled with their software, though the specific component and vendor remain undisclosed.

The attack, which was first discovered and reported by Rackspace’s internal security team, has reportedly affected several companies, including a major financial services firm. According to ScienceLogic's statement on the matter, the vulnerability was present in versions 10.4.x through 11.1.x of their software and has since been patched with the release of version 11.3.

Rackspace has also released emergency patches and is currently conducting a comprehensive investigation into the extent of the breach.

The incident resulted in the unauthorized access and theft of Rackspace's internal monitoring information, which included sensitive data such as customer account names, usernames, device IDs, IP addresses, and AES256 encrypted Rackspace internal device agent credentials. 

Rackspace has assured that no other products or services were impacted and has taken steps to notify affected customers. Although the data compromised was limited to internal monitoring information, it raises concerns about the security protocols surrounding third-party utilities.

This incident follows a previous ransomware attack involving Rackspace’s hosted Microsoft Exchange service in December 2022, which caused significant financial repercussions and legal challenges.

One of the latest zero-day flaws added by CISA to its Known Exploited Vulnerabilities catalog was a Windows MSHTML spoofing zero-day flaw that allows a remote attacker to execute arbitrary code.