This article is more than 1 year old

Rackspace blames ransomware woes on zero-day attack

Play gang blamed, ProxyNotShell cleared and hosted Exchange doomed

Rackspace has confirmed the Play ransomware gang was behind last month's hacking and said it won't bring back its hosted Microsoft Exchange email service, as it continues working to recover customers' email data lost in the December 2 ransomware attack.

Rackspace said "more than half" of its customers who lost their hosted email service last month now have "some or all of their data available to them for download," in its latest and final status update, posted today. But customers aren't exactly jumping at the chance to access this data, the update continued:

Less than 5 percent of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data.

We will continue working to recover all data possible as planned, however, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data. We expect that the on-demand solution will be available within two weeks.

Rackspace also disclosed some new information about how many customers were hit by the email fiasco.

"Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table (PST) of 27 Hosted Exchange customers," according to the update. 

And, it added, according to CrowdStrike, which Rackspace hired to help with the recovery and remediation effort, "there is no there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated any of the 27 Hosted Exchange customers' emails or data in the PSTs in any way."

Rackspace did not disclose the ransom demand, or if it paid the criminals to decrypt the stolen data.

It also confirmed that the hosted Exchange email product, which only represents 1 percent of the company's annual revenue, won't be rebuilt.

"Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionality," Rackspace said. "There will be no price increase for our Hosted Exchange customers if they choose to move to Microsoft 365 and select a plan with the same capabilities as they currently have."

One month and counting...

As a refresher for readers who aren't part of the 1 percent of Rackspace customers affected by the email fiasco. On December 2, 2022, a cyberattack took down the company's hosted Microsoft Exchange email service. 

Four days later, Rackspace admitted a ransomware infection was to blame, and over the subsequent weeks the company has been moving customers to cloud-based Microsoft 365 and working to recover their pre-December 2 email data, which, for some customers, includes a decade's worth of old messages and contacts. 

Rackspace still hasn't said how many customers were affected by the email outage, or when it expects to complete the data recovery process.

"As the process remains underway, we want to remind customers that due to the nature of the incident, certain elements of email and other data may remain unavailable to our customers," Rackspace warned in a December 27, 2022 update.

Play with a zero-day

The company blamed Play, a newer ransomware gang, for the intrusion, and said the group used a previously unknown exploit to break into its environment. 

"We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-41080," Rackspace Chief Security Officer Karen O'Reilly-Smith told The Register.

CrowdStrike said it discovered the new exploit method during recent "investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange."

The attack chains CVE-2022-41080 and CVE-2022-41082 for remote code execution (RCE) through Outlook Web Access. This allows miscreants to bypass URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.

CVE-2022-41082 is one of the two Exchange Server bugs dubbed ProxyNotShell that have been exploited as far back as August. Microsoft said it had finally fixed both in November's Patch Tuesday event. 

Microsoft also disclosed CVE-2022-41080, which was not part of ProxyNotShell, in November. At the time, however, it listed it as a privilege-escalation bug "and did not include notes for being part of a Remote Code Execution chain that was exploitable," O'Reilly-Smith said, adding that this is why Rackspace has insisted, despite widespread speculation, that the attack was not related to any ProxyNotShell vulnerabilities.

"While there has been widespread speculation that the root cause of this incident was the result of the ProxyNotShell exploit, we can now definitively state that is not accurate," O'Reilly-Smith said. "We have been diligent about this investigation — and prioritizing accuracy and precision in everything we say and do, because our credibility is important to us at Rackspace."

"We thank CrowdStrike for their thorough work in discovering this zero-day exploit during the course of this investigation and will be sharing more detailed information with our customers and peers in the security community," she added. ®

More about


Send us news

Other stories you might like