Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month’s breach.
The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.
“This zero-day exploit is associated with CVE-2022-41080,” the Texas-based company said. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable.”
Rackspace’s forensic investigation found that the threat actor accessed the Personal Storage Table (.PST) of 27 customers out of nearly 30,000 customers on the Hosted Exchange email environment.
However, the company said there is no evidence the adversary viewed, misused, or distributed the customer’s emails or data from those personal storage folders. It further said it intends to retire its Hosted Exchange platform as part of a planned migration to Microsoft 365.
It’s not currently not known if Rackspace paid a ransom to the cybercriminals, but the disclosure follows a report from CrowdStrike last month that shed light on the new technique, dubbed OWASSRF, employed by the Play ransomware actors.
The mechanism targets Exchange servers that are unpatched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) but have in place URL rewrite mitigations for the Autodiscover endpoint.
This involves an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution in a manner that bypasses the blocking rules through Outlook Web Access (OWA). The flaws were addressed by Microsoft in November 2022.
The Windows maker, in a statement shared with The Hacker News, urged customers to prioritize installing its November 2022 Exchange Server updates and noted that the reported method targets vulnerable systems that have not not applied the latest fixes.