Managed cloud internet hosting providers firm Rackspace Know-how has confirmed that the huge Dec. 2 ransomware assault that disrupted e-mail providers for hundreds of its small-to-midsized enterprise clients got here through a zero-day exploit in opposition to a server-side request forgery (SSRF) vulnerability in Microsoft Trade Server, aka CVE-2022-41080.
“We are actually extremely assured that the foundation trigger on this case pertains to a zero-day exploit related to CVE-2022-41080,” Karen O’Reilly-Smith, chief safety officer for Rackspace, advised Darkish Studying in an e-mail response. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and didn’t embody notes for being a part of a distant code execution chain that was exploitable.”
CVE-2022-41080 is a bug that Microsoft patched in November.Â
An exterior advisor to Rackspace advised Darkish Studying that Rackspace had held off on making use of the ProxyNotShell patch amid considerations over reviews that it precipitated “authentication errors” that the corporate feared may take down its Trade Servers. Rackspace had beforehand carried out Microsoft’s really helpful mitigations for the vulnerabilities, which Microsoft had deemed a strategy to thwart the assaults.
Rackspace employed CrowdStrike to assist with its breach investigation, and the safety agency shared its findings in a weblog submit detailing how the Play ransomware group was using a brand new method to set off the next-stage ProxyNotShell RCE flaw generally known as CVE-2022-41082 utilizing CVE-2022-41080. CrowdStrike’s submit didn’t title Rackspace on the time, however the firm’s exterior advisor tells Darkish Studying that the analysis about Play’s mitigation bypass methodology was the results of CrowdStrike’s investigation into the assault on the internet hosting providers supplier.
Microsoft advised Darkish Studying final month that whereas the assault bypasses beforehand issued ProxyNotShell mitigations, it doesn’t bypass the precise patch itself.Â
Patching is the reply if you are able to do it,” the exterior advisor says, noting that the corporate had critically weighed the chance of making use of the patch at a time when the mitigations had been mentioned to be efficient and the patch got here with danger of taking down its servers. “They evaluated, thought-about and weighed [the risk] they knew about” at the moment, the exterior advisor says. The corporate nonetheless hasn’t utilized the patch for the reason that servers stay down.Â
A Rackspace spokesperson wouldn’t touch upon whether or not Rackspace had paid the ransomware attackers.
