Rackspace released details of a ransomware attack that caused confusion among its hosted exchange customers in December, claiming the attackers accessed files that could contain emails, contacts and other details. increase.
The company was hit by a Play variant earlier this month, forcing it to temporarily suspend its hosted exchange environment.
In yesterday’s update, the hosting giant said 27 out of 30,000 customers using the environment at the time of the attack accessed Personal Storage Table (PST) data.
PST is a file used by Microsoft programs to store data such as emails, calendar events, and contacts.
However, Rackspace also used information from its IT forensics partner, CrowdStrike, to reassure these affected customers.
“We are already actively communicating our findings to these customers. , there is no evidence that it was acquired, misused, or distributed.
“Customers who have not been contacted directly by the Rackspace team can be confident that their PST data has not been accessed by an attacker.”
The company also revealed that the first access vector for the compromised Play affiliates was the zero-day bug CVE-2022-41080. Patched by Microsoft in November, this is a privilege escalation vulnerability in Exchange Server.
According to CrowdStrike, this bug was exploited along with one of the ProxyNotShell vulnerabilities (CVE-2022-41082) to allow remote code execution via Outlook Web Access (OWA).
“The new exploit technique bypasses the URL rewrite mitigation of the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.”
Citing this research, Rackspace argued that previous reports suggesting that ProxyNotShell itself was the “root cause” of the incident were inaccurate.
“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include a note about it. [it] It is part of an exploitable remote code execution chain.”
Editorial Credit Icon Image: T. Schneider / Shutterstock.com
