Cyber Incident Victim: RSAWeb

On 1 February 2023, RSAWeb experienced a widespread network outage disrupting its fibre, mobile, hosting, VoIP, and PBX services. CEO Rudy van Staden confirmed in customer communications that the incident stemmed from a "highly sophisticated cyberattack," later identified by MyBroadband as a ransomware incident. The attack commenced in the early hours of that day, prompting immediate containment measures to isolate the threat and secure systems. Primary impacts centered on cloud and shared hosting customers, with services rendered inaccessible due to encryption. Restoration efforts prioritized fibre-related services—including FTTH, FTTB, MPLS, VoIP, and Mobile APN—with most reinstated within 24 hours. Remaining affected customers required manual reconfiguration of settings to regain connectivity. Van Staden characterized the attacker as "extremely capable and devious," noting the incident formed part of a broader campaign targeting multiple South African and international businesses.

RSAWeb engaged independent cybersecurity advisors and notified relevant authorities but maintained no evidence suggested customer or employee data compromise. Recovery for cloud and hosting services proved more complex, with the company projecting majority restoration within 24 hours of its Sunday evening communication, followed by remaining systems thereafter. Industry speculation linked the attack to the ESXiArgs ransomware campaign exploiting CVE-2021-21974, a two-year-old VMware ESXi vulnerability enabling remote code execution via OpenSLP service heap overflow. RSAWeb did not publicly confirm this vector or disclose whether decryption efforts succeeded. Throughout the incident, the company provided incremental updates via direct customer letters and a Twitter advisory acknowledging ongoing service disruptions to FTTx, hosting, and VoIP, with engineers actively working on resolutions. Final confirmation of full restoration and attack specifics remained pending at the time of reporting.