On Thursday, cloud services provider Rackspace acknowledged that the intrusion from last month was caused by the Play ransomware group.
A previously unidentified security exploit was used by the security event, which happened on December 2, 2022, to acquire initial access to the Rackspace Hosted Exchange email system.
The Texas-based business stated that “CVE-2022-41080 is related to this zero-day vulnerability.” Microsoft did not mention that CVE-2022-41080 was a part of an exploitable remote code execution chain when it published it as a privilege escalation issue.
Out of a total of roughly 30,000 users on the Hosted Exchange email environment, 27 users had their Personal Storage Tables (.PST) accessed, according to Rackspace’s forensic analysis.
No proof that the adversary saw, mishandled, or disseminated the customer’s emails or data from those personal storage folders, the business claimed. In addition, it stated that as part of a planned transition to Microsoft 365, it intended to discontinue its Hosted Exchange infrastructure.
It is presently unknown if Rackspace paid the cybercriminals a ransom, however the revelation comes after a CrowdStrike study published last month that described the new method used by the Play ransomware attackers, known as OWASSRF.
The mechanism targets Exchange servers that have URL rewrite mitigations for the Autodiscover endpoint but are unpatched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082).
In order to get beyond the blocking rules in Outlook Web Access and achieve remote code execution, a chain of exploits including CVE-2022-41080 and CVE-2022-41082 is used (OWA). Microsoft fixed the problems in November 2022.
The Windows manufacturer recommends that users prioritize updating its November 2022 Exchange Server upgrades and mentioned that the alleged approach targets vulnerable systems that have not implemented the most recent remedies.