Rackspace Confirms Play Ransomware Gang Liable for Latest Breach

Jan 06, 2023Ravie LakshmananCloud Safety / Cyber Menace

Play Ransomware

Cloud providers supplier Rackspace on Thursday confirmed that the ransomware gang often called Play was chargeable for final month’s breach.

The safety incident, which came about on December 2, 2022, leveraged a beforehand unknown safety exploit to achieve preliminary entry to the Rackspace Hosted Trade e-mail atmosphere.

“This zero-day exploit is related to CVE-2022-41080,” the Texas-based firm said. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and didn’t embody notes for being a part of a distant code execution chain that was exploitable.”

Rackspace’s forensic investigation discovered that the risk actor accessed the Private Storage Desk (.PST) of 27 clients out of almost 30,000 clients on the Hosted Trade e-mail atmosphere.

Nevertheless, the corporate mentioned there is no such thing as a proof the adversary considered, misused, or distributed the shopper’s emails or information from these private storage folders. It additional mentioned it intends to retire its Hosted Trade platform as a part of a deliberate migration to Microsoft 365.

It is not presently not recognized if Rackspace paid a ransom to the cybercriminals, however the disclosure follows a report from CrowdStrike final month that make clear the brand new method, dubbed OWASSRF, employed by the Play ransomware actors.

The mechanism targets Trade servers which are unpatched in opposition to the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) however have in place URL rewrite mitigations for the Autodiscover endpoint.

This entails an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to attain distant code execution in a way that bypasses the blocking guidelines by Outlook Internet Entry (OWA). The failings have been addressed by Microsoft in November 2022.

The Home windows maker, in a press release shared with The Hacker Information, urged clients to prioritize putting in its November 2022 Exchange Server updates and famous that the reported technique targets susceptible techniques that haven’t not utilized the newest fixes.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.