Security Experts:

Connect with us

Hi, what are you looking for?



Play Ransomware Group Used New Exploitation Method in Rackspace Attack

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this week.

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this week.

Rackspace told the media that a previously unknown exploit was used to gain access to its network and steal data. The incident apparently involved a customer’s credentials getting compromised, which gave the attackers access to one of its servers on November 29.

The incident forced Rackspace to shut down its Hosted Exchange environment. The company is now in the process of recovering the data stored on the impacted Exchange servers.

Multiple class action lawsuits have been filed against Rackspace in response to the breach and the company’s shares have been on a downward trend since the incident was disclosed.

Cybersecurity researchers Anis Haboubi and Dominic Alvieri have provided SecurityWeek the addresses that point to the Play ransomware operation’s Tor-based leak website. There is no mention of Rackspace on the site at the time of writing.

Rackspace has not said whether it has paid a ransom to the cybercriminals.

The Play ransomware (also known as PlayCrypt) emerged in June 2022. The cybercriminals are deploying file-encrypting malware on compromised systems and stealing data from victims in an effort to increase their chances of getting paid.

According to data from deep web intelligence project DarkFeed, Play was the sixth most active ransomware operation in December 2022, with 16 new victims announced last month.

Ransomware Resilience & Recovery Summit

CrowdStrike reported in December that recent Play ransomware attacks targeting Microsoft Exchange servers had been observed using a new exploit chain that bypassed official mitigations for the flaws tracked as ProxyNotShell.

The new exploit chain, dubbed OWASSRF because it targets Outlook Web Application (OWA), leverages one of the ProxyNotShell vulnerabilities and CVE-2022-41080, an Exchange Server flaw addressed by Microsoft in November 2022, alongside ProxyNotShell.

CrowdStrike did not name Rackspace in its blog post, but Rackspace has now confirmed that it’s highly confident that exploitation of CVE-2022-41080 was involved in the attack.

The individual vulnerabilities exploited in the attack were known and they were patched by Microsoft in November, before the attack on Rackspace, but the way they were chained was new.

An external Rackspace advisor revealed that the cloud company had applied ProxyNotShell mitigations in September, when the vulnerabilities came to light, but did not install the November patches due to concerns related to reported operational issues caused by the patches.

In addition, Rackspace representatives said Microsoft’s advisory for CVE-2022-41080 did not mention remote code execution. It’s worth pointing out, however, that Microsoft did assign the issue an ‘exploitation more likely’ exploitability rating.

Related: Microsoft Links Exploitation of Exchange Zero-Days to State-Sponsored Hacker Group

Related: BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...