Cyber Incident Victim: United Hoster
Date:
May 2023
Location:
Germany
Summary
United Hoster suffered a ransomware attack that encrypted its Hosted Exchange servers, particularly the mail databases, rendering the service offline. The company stated there was no evidence of data exfiltration and no ransom demand had been received. An investigation found the attackers exploited an unknown vulnerability in Microsoft Exchange to gain access. Countermeasures were taken, law enforcement was notified, and customers were provided with an alternative mail solution while a new Exchange environment is built.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 20, 2023, the Stuttgart-based cloud service provider United Hoster suffered a ransomware attack that resulted in the complete unavailability of its Hosted Exchange service. The incident began on a Saturday, with the service going offline and remaining unavailable. According to a company spokesperson, an internal investigation determined that an attacker had exploited an unknown vulnerability within Microsoft Exchange to gain access to the Exchange server. This unauthorized access was used to deploy ransomware onto the server. The primary effect of this malicious software was the comprehensive encryption of the servers, with a specific focus on the mail databases, rendering the data inaccessible.
The company's analysis and continuous monitoring led it to state that, based on the current knowledge, there was no evidence of any data exfiltration having occurred. This assessment was further supported by the fact that no ransom demand had been received by the company at that time. The absence of a extortion request was viewed by United Hoster as an additional indicator that a data theft had not taken place as part of the attack. The IT team at United Hoster implemented countermeasures immediately upon discovery of the incident. The company followed its regulatory obligations by informing its data protection officer and subsequently submitting a notification to the relevant state data protection supervisory authority within the deadlines stipulated by the GDPR.
United Hoster also filed a criminal complaint with the police and stated it was cooperating closely and confidentially with the investigating authorities. All affected customers were notified about the security breach. To provide immediate relief, United Hoster supplied its customers with an alternative solution for email services. Incoming emails that arrived after the outage began were held in a queue on an upstream system, where they were stored pending the deployment of the alternative mail solution, after which they would be delivered. The specific nature of this alternative email solution was not disclosed by the company, leaving it unclear if it involved direct hosting with Microsoft Online or another provider.
The long-term recovery plan involved United Hoster building an entirely new Microsoft Exchange environment from the ground up. The intention was to migrate all customers to this new infrastructure to restore full functionality. The company declined to provide precise figures regarding the number of customers or individual mailboxes impacted by the attack, citing business secrecy. A timeline for the completion of the service restoration within the new environment was also not made public. The particular Microsoft Exchange security vulnerability exploited by the attackers was not identified by the company spokesperson. The incident drew parallels to a previous cyberattack against the large hosted Exchange provider Rackspace in December of the prior year, which involved the exploitation of vulnerabilities related to ProxyNotShell to install the Play ransomware and ultimately led to a mass migration of customers to Microsoft 365.