Rackspace identifies ransomware threat actor behind December attack via Exchange
Rackspace Technology has confirmed the threat actor known as Play was behind the ransomware attack that disrupted email access for its Hosted Exchange customers in early December.
The threat actor was identified following a forensic investigation led by CrowdStrike, the FBI and other experts, Rackspace told Cybersecurity Dive Monday.
Karen O’Reilly-Smith, chief security officer at Rackspace, said the attack was linked to a zero-day exploit associated with CVE-2022-41080.
“Microsoft disclosed CVE-2022-41080 as privilege escalation vulnerability, and did not include notes for being part of a Remote Code Execution chain that was exploitable,” O’Reilly-Smith said via email.
The threat actor accessed Rackspace systems using compromised credentials of a customer, according to a spokesperson.
The company declined to comment on whether any specific ransom was paid, but previously linked the attack to a financially motivated threat actor.
CrowdStrike, in a blog post released Dec. 20, said it had discovered a new exploit method associated with CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution via Outlook Web Access.
The findings were part of a larger probe of several intrusions by Play ransomware where Microsoft Exchange was the common entry vector, CrowdStrike said.
As previously reported, thousands of Rackspace customers were impacted by the ransomware attack, which left customers unable to access pre-attack emails. In response, the company shifted these mostly small- and medium-sized businesses to a Microsoft 365 environment.
Rackspace is facing litigation in a U.S. District Court alleging the company failed to secure customer data. The company has denied those allegations.
Rackspace officials denied previously reported speculation that the attacks stemmed from ProxyNotShell.
Gloss