The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this week.
Rackspace told the media that a previously unknown exploit was used to gain access to its network and steal data. The incident apparently involved a customer’s credentials getting compromised, which gave the attackers access to one of its servers on November 29.
The incident forced Rackspace to shut down its Hosted Exchange environment. The company is now in the process of recovering the data stored on the impacted Exchange servers.
Multiple class action lawsuits have been filed against Rackspace in response to the breach and the company’s shares have been on a downward trend since the incident was disclosed.
Cybersecurity researchers Anis Haboubi and Dominic Alvieri have provided SecurityWeek the addresses that point to the Play ransomware operation’s Tor-based leak website. There is no mention of Rackspace on the site at the time of writing.
Rackspace has not said whether it has paid a ransom to the cybercriminals.
The Play ransomware (also known as PlayCrypt) emerged in June 2022. The cybercriminals are deploying file-encrypting malware on compromised systems and stealing data from victims in an effort to increase their chances of getting paid.
According to data from deep web intelligence project DarkFeed, Play was the sixth most active ransomware operation in December 2022, with 16 new victims announced last month.
CrowdStrike reported in December that recent Play ransomware attacks targeting Microsoft Exchange servers had been observed using a new exploit chain that bypassed official mitigations for the flaws tracked as ProxyNotShell.
The new exploit chain, dubbed OWASSRF because it targets Outlook Web Application (OWA), leverages one of the ProxyNotShell vulnerabilities and CVE-2022-41080, an Exchange Server flaw addressed by Microsoft in November 2022, alongside ProxyNotShell.
CrowdStrike did not name Rackspace in its blog post, but Rackspace has now confirmed that it’s highly confident that exploitation of CVE-2022-41080 was involved in the attack.
The individual vulnerabilities exploited in the attack were known and they were patched by Microsoft in November, before the attack on Rackspace, but the way they were chained was new.
An external Rackspace advisor revealed that the cloud company had applied ProxyNotShell mitigations in September, when the vulnerabilities came to light, but did not install the November patches due to concerns related to reported operational issues caused by the patches.
In addition, Rackspace representatives said Microsoft’s advisory for CVE-2022-41080 did not mention remote code execution. It’s worth pointing out, however, that Microsoft did assign the issue an ‘exploitation more likely’ exploitability rating.
Related: Microsoft Links Exploitation of Exchange Zero-Days to State-Sponsored Hacker Group
Related: BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers