Rackspace Confirms Ransomware Attack by Play Group
On Thursday, cloud services provider Rackspace identified the ransomware group known as Play as the responsible party behind a recent security breach that occurred in December 2022. The breach targeted Rackspace’s Hosted Exchange email environment, taking advantage of a previously undisclosed vulnerability.
The security incident took place on December 2, 2022, and involved a zero-day exploit linked to the Microsoft vulnerability known as CVE-2022-41080. This specific vulnerability was characterized by Microsoft as a privilege escalation flaw, without indicating its potential inclusion in a remote code execution exploit chain, which facilitated the attackers’ access to the system.
Rackspace’s forensic investigation revealed that the attackers managed to access the Personal Storage Table (.PST) files of 27 clients among nearly 30,000 customers utilizing the Hosted Exchange service. However, the company stated that there is no evidence suggesting that the threat actor viewed, misused, or disseminated any emails or data from these personal storage folders. In light of this incident, Rackspace plans to migrate its services to Microsoft 365, effectively phasing out its Hosted Exchange platform.
While it remains unclear if Rackspace paid a ransom, this disclosure coincided with a report from CrowdStrike, detailing a new exploitation technique employed by the Play ransomware group, referred to as OWASSRF. This technique exploits Exchange servers that remain unpatched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) while applying URL rewrite mitigations on the Autodiscover endpoint.
This method incorporates an exploit chain involving multiple vulnerabilities, specifically CVE-2022-41080 and CVE-2022-41082, to execute remote code in a manner that circumvents existing blocking rules through Outlook Web Access (OWA). Microsoft addressed these vulnerabilities in its November 2022 updates, emphasizing the need for customers to prioritize applying these critical security patches to vulnerable systems.
The incident highlights several tactics outlined in the MITRE ATT&CK framework. The initial access was likely achieved through the aforementioned zero-day vulnerability, while privilege escalation was utilized to gain elevated access within the environment. The attackers might have employed persistence techniques to maintain their foothold, although Rackspace’s investigation did not conclusively identify further exploitation beyond initial access.
As organizations continue to grapple with rising cybersecurity threats, incidents like the Rackspace breach serve as stern reminders of the importance of timely patch management and proactive security measures. Businesses are urged to stay informed about evolving vulnerabilities, ensuring they implement robust defenses to protect sensitive data and maintain operational integrity.
