01/06/2023Ravie LakshmananCloud Security / Cyber Threat
Cloud service provider Rackspace confirmed on Thursday that the ransomware gang known as Game was responsible for the breach last month.
The security incident, which occurred on December 2, 2022, used a previously unknown vulnerability to gain initial access to the Rackspace Hosted Exchange email environment.
“This zero-day exploit is associated with CVE-2022-41080,” the Texas-based company said. “Microsoft has disclosed CVE-2022-41080 as a privilege escalation vulnerability and has not provided any indication that it is part of an exploitable remote code execution chain.”
Rackspace’s forensic investigation revealed that the attacker accessed the Personal Storage Table (.PST) of 27 customers out of nearly 30,000 customers in the Hosted Exchange email environment.
However, the company said there was no evidence the attacker viewed, misused or distributed the customer’s emails or data from those personal storage folders. It also intends to retire its Hosted Exchange platform as part of a planned migration to Microsoft 365.
It is currently unknown if Rackspace paid any ransom to the cybercriminals, but the disclosure follows a report by CrowdStrike last month that sheds light on a new technique called OWASSRF employed by the Play ransomware actors will.
The mechanism targets Exchange servers that are not patched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) but have URL rewrite mitigations for the autodiscover endpoint.
This is an exploit chain that includes CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution in a way that bypasses Outlook Web Access (OWA) blocking rules. The bugs were fixed by Microsoft in November 2022.
The Windows maker, in a statement shared with The Hacker News, urged customers to prioritize installing its November 2022 Exchange Server updates, noting that the reported method targets vulnerable systems that have not applied the latest fixes .
Did you find this article interesting? follow us on Twitter and LinkedIn to read more exclusive content we publish.