RSAWeb hit by ransomware attack
An outage that took down RSAWeb’s whole network on 1 February, including its fibre, mobile, hosting, VoIP, and PBX services, was a “highly sophisticated cyberattack”.
This is according to a letter from RSAWeb CEO Rudy van Staden to the company’s clients, sent late on Sunday evening.
MyBroadband was able to establish that it was a ransomware attack.
RSAWeb informed its largest enterprise clients last week that they had been hit with a ransomware attack.
We agreed to hold back on reporting the details last week, as RSAWeb said it was working on decrypting customers’ data, and they didn’t want to do or say something publicly that could compromise that effort.
In other words, they didn’t want a target on their backs until they were ready.
Ransomware attacks typically involve a malicious actor breaking into a system or network, encrypting all the data they can find, and then extorting the victims for a decryption key.
Last night, RSAWeb sent letters to its cloud hosting and fibre customers providing some explanation of what happened.
“In the early hours of Wednesday, 1 February 2023, RSAWeb was the target of a highly sophisticated cyberattack,” Van Staden stated.
“On discovery, steps were immediately taken to contain the threat and secure our systems.”
Van Staden said the attack particularly impacted their cloud and shared hosting customers.
“Given the sophisticated nature of this attack, the recovery process is highly complex,” he said.
“We are currently in the process of restoring these services and expect to have the majority of these customers restored within the next 24 hours, with the remainder thereafter.”
He said they had restored services to their Fibre to the Home (FTTH), Fibre to the Business (FTTB), MPLS, VolP, and Mobile APN customers.
In his letter to fibre customers, Van Staden said they restored most customers’ FTTH and FTTB services within 24 hours.
“[We] worked around the clock to assist our remaining customers to reconfigure their settings and get back online.”
Van Staden said they were not the only ones hit by this attack.
“We were unfortunately targeted by an extremely capable and devious threat actor,” Van Staden said.
“This attack is part of a campaign that has victimised many other businesses both in South Africa and globally.”
He said they don’t believe customer or employee data was accessed or misused due to the attack.
“The relevant authorities have been informed, and we have also engaged independent professional cybersecurity advisors.”
RSAWeb has yet to confirm what kind of attack it fell prey to.
However, industry speculation suggests that it was hit with a widespread attack on VMware ESXi that occurred last week, dubbed the ESXiArgs ransomware campaign.
Cybersecurity agencies worldwide issued notices last week about attackers actively targeting unpatched VMware ESXi servers.
Bleeping Computer reported that the attack exploited a security flaw tracked as CVE–2021–21974.
This is a two-year-old remote code execution vulnerability that involves triggering a a heap overflow in the OpenSLP service.
“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” the CVE’s description states.
There are guides online that allow those targeted by these attacks to recover encrypted files.
MyBroadband contacted RSAWeb for comment, and it promised to provide detailed feedback once the incident was resolved.