Cloud providers supplier Rackspace on Thursday confirmed that the ransomware gang often called Play was accountable for final month’s breach.
The safety incident, which happened on December 2, 2022, leveraged a beforehand unknown safety exploit to achieve preliminary entry to the Rackspace Hosted Alternate electronic mail atmosphere.
“This zero-day exploit is related to CVE-2022-41080,” the Texas-based firm mentioned. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and didn’t embody notes for being a part of a distant code execution chain that was exploitable.”
Rackspace’s forensic investigation discovered that the menace actor accessed the Private Storage Desk (.PST) of 27 prospects out of practically 30,000 prospects on the Hosted Alternate electronic mail atmosphere.
Nevertheless, the corporate mentioned there is no such thing as a proof the adversary seen, misused, or distributed the client’s emails or information from these private storage folders. It additional mentioned it intends to retire its Hosted Alternate platform as a part of a deliberate migration to Microsoft 365.
It isn’t presently not recognized if Rackspace paid a ransom to the cybercriminals, however the disclosure follows a report from CrowdStrike final month that make clear the brand new method, dubbed OWASSRF, employed by the Play ransomware actors.
The mechanism targets Alternate servers which can be unpatched towards the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) however have in place URL rewrite mitigations for the Autodiscover endpoint.
This includes an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to attain distant code execution in a fashion that bypasses the blocking guidelines by way of Outlook Net Entry (OWA). The failings had been addressed by Microsoft in November 2022.
The Home windows maker, in a press release shared with The Hacker Information, urged prospects to prioritize putting in its November 2022 Alternate Server updates and that the reported technique targets weak methods that haven’t not utilized the newest fixes.
