ColoCrossing’s ColoCloud brand suffered a breach over the last 24 hours, resulting in emails to users (from both hacker and CC), as well as a fast and furious thread on LowEndTalk.

The story is still coming together, as ColoCrossing is working on restoring services, but here’s what we’ve been able to piece together.

The breach is only on the ColoCloud side.  ColoCrossing’s massive dedicated server business is unaffected.  If you’re a customer, this means that if you’re logging in to the ‘portal’ side of the business, your systems are fine.  The breach is only on the ‘cloud’ side.  The WHMCS system is also unaffected.

This was caused by a Virtualizor bug.  While the dedicated server side runs on a proprietary management system, Vitualizor is used to administer the ColoCloud side of the business.  It’s likely that other providers are vulnerable as well.  As RackNerd’s Dustin Cisneros noted:

RackNerd is not affected by this breach, it’s worth noting that there have been several Virtualizor vulnerabilities floating around as of late (even affecting other providers here, some who haven’t even made statements) – one more recent one being Virtualizor’s support/live chat system being compromised.

This was an extortion play, and if you read the LowEndTalk thread you’ll see several posts by the hackers themselves, from accounts since banned by the mods.  The hackers claimed this was some kind of altruistic play to expose child pornography, but the reality is that they were asking for money.  (As a side note, in any large hosting environment, you’ll inevitably find some bad users.  Any CSM on a client system is the fault of the subscriber, not CC, and would be a violation of CC’s terms of service).

The hacker has emailed users, though inconsistently.  Not every ColoCloud user got the email.

ColoCloud has also emailed users:

Fun fact: two years ago, during Memorial Day Weekend 2023, downtown Buffalo suffered its first power outage since WWII. The CC datacenter there ran on generator power for 30 hours but didn’t suffer any downtime.

One of the ColoCrossing admins has posted a message in the thread:

The ColoCloud team is working hard on this issue. Sincere apologies for those who are impacted. For the ColoCloud team it has been non stop work on this issue since yesterday.

Significant steps are being taken to disconnect the platform from the internet to allow time for us to work on this issue. If your virtual server is down currently it is likely because of this action.

Thank you for the patience and understanding on this. We are doing our best.
On a personal note today is my son’s one year birthday party. I am on my computer doing whatever I can to support the team. It is all hands on deck.

Be sure to keep hitting F5 on that thread as this story develops.

raindog308

Raindog308 is a longtime LowEndTalk community administrator, technical writer, and self-described techno polymath. With deep roots in the *nix world, he has a passion for systems both modern and vintage, ranging from Unix, Perl, Python, and Golang to shell scripting and mainframe-era operating systems like MVS. He’s equally comfortable with relational database systems, having spent years working with Oracle, PostgreSQL, and MySQL.

As an avid user of LowEndBox providers, Raindog runs an empire of LEBs, from tiny boxes for VPNs, to mid-sized instances for application hosting, and heavyweight servers for data storage and complex databases. He brings both technical rigor and real-world experience to every piece he writes.

Beyond the command line, Raindog is a lover of German Shepherds, high-quality knives, target shooting, theology, tabletop RPGs, and hiking in deep, quiet forests.

His goal with every article is to help users, from beginners to seasoned sysadmins, get more value, performance, and enjoyment out of their infrastructure.

You can find him daily in the forums at LowEndTalk under the handle @raindog308.