- Rackspace Technology claimed that the security incident they expected is a zero-day exploit that is associated with CVE-2022-41080.
- The company also said that Microsoft didn’t announce that the vulnerability was a part of a Remote Code Execution chain that was exploitable.
- According to the forensic investigation, 27 of nearly 30,000 Hosted Exchange customers were affected by the incident.
During the entire of December, Rackspace Technology struggled with a security incident, that disrupted its services. It took almost a month to restore all the services. The company warned its users against possible phishing attacks and some customers sued the company for the issues. Rackspace finally completed the forensic investigation and shared information broadly about the root cause.
Play ransomware
According to the announcement, the root cause of the incident was not the ProxyNotShell exploit, as it claimed to be. Rackspace also stated that the threat actor behind the attack is the Play ransomware gang. Instead, the incident is associated with a zero-day exploit. This zero-day exploit is associated with CVE-2022-41080. In the announcement, the company said that Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable. Rackspace advised all organizations and security teams to take a look at CrowdStrike’s blog post about the OWASSRF exploit.
According to the forensic investigation’s findings, the threat actor accessed a Personal Storage Table (PST) of 27 Hosted Exchange customers of the 30,000 customers on the Hosted Exchange email environment at the time of the attack. Rackspace also claimed that according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused or disseminated emails or data in the PSTs.
As of the 5th of January, more than half of impacted customers have some or all of their data available. However, less than 5% of those customers have actually downloaded the mailboxes we have made available. Which shows that most of these customers have data backed up locally, archived, or otherwise do not need the historical data. The team is still working on recovering all data possible as planned. The company is also working on developing an on-demand solution for those customers who do still wish to download their data, which is expected to be available within two weeks.
Amar Maletira, CEO of Rackspace Technology also published a post about the incident and said,
« Now that the forensic investigation has concluded, you can find further detail about the scope of the December 2022 incident and the findings of the forensic investigation on the “Latest Update” tab. Under both the “Latest Update” and “Resources for Customers” tabs, you can also find additional materials that will be helpful to you if you still need assistance with restoring your historical data.
I want to close by saying that while the Hosted Exchange email environment was a small part of our business, it represents thousands of long-time and loyal customers. We deeply value each and every one of you. We sincerely thank all of our customers and will continue to work to maintain the relationships we have built with you over the years. Again, we apologize for the disruption that this incident caused and look forward to working with you in the future. »