Cloud service provider Rackspace said on Thursday, play I was responsible for last month’s violation.
A security incident on December 2nd, 2022 leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.
“This zero-day exploit is associated with CVE-2022-41080,” said the Texas-based company. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include a note that it is part of an exploitable remote code execution chain.”
Rackspace’s forensic investigation found that the attackers accessed the Personal Storage Tables (.PST) of 27 out of approximately 30,000 customers in a Hosted Exchange email environment.
However, the company says it has no evidence that adversaries viewed, misused, or distributed customer emails or data from these personal storage folders. Additionally, it said it plans to retire its Hosted Exchange platform as part of its planned migration to Microsoft 365.
It’s currently unknown if Rackspace paid the ransom to cybercriminals, but the disclosure follows a report from CrowdStrike last month that highlighted a new technique called OWASSRF used by Play ransomware actors. .
This mechanism is intended for unpatched Exchange servers against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082), but with the Autodiscover endpoint URL rewrite mitigation applied. I’m here.
It involves an exploit chain consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution by bypassing blocking rules via Outlook Web Access (OWA) . This flaw was addressed by Microsoft in November 2022.
In a statement shared with The Hacker News, the Windows maker urged customers to prioritize installing the November 2022 Exchange Server update, and reported how the latest fixes were applied. It said it was intended for vulnerable systems that are not vulnerable.
