Security Experts:

Connect with us

Hi, what are you looking for?



Play Ransomware Group Used New Exploitation Method in Rackspace Attack

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this week.

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this week.

Rackspace told the media that a previously unknown exploit was used to gain access to its network and steal data. The incident apparently involved a customer’s credentials getting compromised, which gave the attackers access to one of its servers on November 29.

The incident forced Rackspace to shut down its Hosted Exchange environment. The company is now in the process of recovering the data stored on the impacted Exchange servers.

Multiple class action lawsuits have been filed against Rackspace in response to the breach and the company’s shares have been on a downward trend since the incident was disclosed.

Cybersecurity researchers Anis Haboubi and Dominic Alvieri have provided SecurityWeek the addresses that point to the Play ransomware operation’s Tor-based leak website. There is no mention of Rackspace on the site at the time of writing.

Rackspace has not said whether it has paid a ransom to the cybercriminals.

The Play ransomware (also known as PlayCrypt) emerged in June 2022. The cybercriminals are deploying file-encrypting malware on compromised systems and stealing data from victims in an effort to increase their chances of getting paid.

According to data from deep web intelligence project DarkFeed, Play was the sixth most active ransomware operation in December 2022, with 16 new victims announced last month.

Ransomware Resilience & Recovery Summit

CrowdStrike reported in December that recent Play ransomware attacks targeting Microsoft Exchange servers had been observed using a new exploit chain that bypassed official mitigations for the flaws tracked as ProxyNotShell.

The new exploit chain, dubbed OWASSRF because it targets Outlook Web Application (OWA), leverages one of the ProxyNotShell vulnerabilities and CVE-2022-41080, an Exchange Server flaw addressed by Microsoft in November 2022, alongside ProxyNotShell.

CrowdStrike did not name Rackspace in its blog post, but Rackspace has now confirmed that it’s highly confident that exploitation of CVE-2022-41080 was involved in the attack.

The individual vulnerabilities exploited in the attack were known and they were patched by Microsoft in November, before the attack on Rackspace, but the way they were chained was new.

An external Rackspace advisor revealed that the cloud company had applied ProxyNotShell mitigations in September, when the vulnerabilities came to light, but did not install the November patches due to concerns related to reported operational issues caused by the patches.

In addition, Rackspace representatives said Microsoft’s advisory for CVE-2022-41080 did not mention remote code execution. It’s worth pointing out, however, that Microsoft did assign the issue an ‘exploitation more likely’ exploitability rating.

Related: Microsoft Links Exploitation of Exchange Zero-Days to State-Sponsored Hacker Group

Related: BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...