Rackspace confirms Play ransomware gang behind recent breach

Cloud services provider Rackspace confirmed that the ransomware gang known as Play was responsible for the recent data breach.

The security incident, which took place on December 2, 2022, abused a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.

The Texas-based company stated that the zero-day exploit is associated with CVE-2022-41080 which was disclosed by Microsoft as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable.

Rackspace’s forensic investigation found that the threat actor accessed the Personal Storage Table (.PST) of 27 customers out of a total of nearly 30,000 customers on the Hosted Exchange email environment.

The company said that there is no evidence the adversary viewed, misused, or distributed the customer’s emails or data from those personal storage folders.

They also stated that it intends to retire its Hosted Exchange platform as part of a planned migration to Microsoft 365.

It is unknown whether Rackspace paid a ransom to the cybercriminals, but the disclosure follows a report from CrowdStrike last month that shed light on the new technique, dubbed OWASSRF, employed by the Play ransomware actors.

The mechanism targets Exchange servers that are unpatched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) but have in place URL rewrite mitigations for the Autodiscover endpoint.

This involves an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution in a manner that bypasses the blocking rules through Outlook Web Access (OWA). The flaws were addressed by Microsoft in November 2022.

Image Credits : San Antonio Current

The post Rackspace confirms Play ransomware gang behind recent breach first appeared on Cybersafe News.

CyberNews RansomWare