Since last Saturday, the hosted exchange of United Hoster from Stuttgart is no longer available. According to the company, the cause is a ransomware attack. The provider now wants to reinstall its IT systems for recovery.
“As part of an internal investigation, it was determined that an attacker exploited an unknown vulnerability in Microsoft Exchange to gain access to the Exchange Server,” a company spokesman said when asked by heise online. During this unauthorized access, ransomware was placed on the server, which caused extensive encryption of the server, especially the mail databases.
Ransomware attack: Data encrypted but not drained
“According to our analyzes and our permanent monitoring, according to the current state of knowledge, there is no indication of data leakage,” added the spokesman. So far, no ransom demand has been received, which the company sees as further evidence that no data has been leaked.
The IT team immediately took countermeasures. The company informed the “data protection officer, submitted a report to the competent state data protection supervisory authority within the deadlines set by the GDPR and filed a criminal complaint with the police. We work closely and trustingly with the investigating authorities,” added the company spokesman.
Customers have been informed of the incident. They were “provided with an alternative solution for e-mails”. Mails arriving since the failure would be stored in a queue in an upstream system and delivered there after the alternative e-mail solution had been made available. What the alternative is, such as direct hosting at Microsoft Online, as other hosted exchange providers have done in the past in such incidents, remains unclear.
United Hoster is currently building a new Microsoft Exchange environment into which customers will eventually be migrated so that they can regain the full range of functions. The company does not want to provide precise information on the number of affected customers or mailboxes, which is part of the trade secret. It is also unclear when United Hoster expects the services to be restored in the new structure.
The company spokesman did not name which Exchange security gap the attackers were able to abuse. In December last year, Rackspace, a large hosted exchange, suffered a cyber attack. Their customers were migrated to Microsoft 365 as a quick fix. At that time, some Exchange vulnerabilities from the ProxyNotShell environment were misused for the intrusion to install the Play ransomware.
To home page