Ransomware attacker behind December's Exchange breach revealed by Rackspace
In early December 2022, Rackspace Technology suffered a significant ransomware attack on its Hosted Exchange customers. The attack was traced back to a zero-day exploit associated with CVE-2022-41080, a privilege escalation vulnerability disclosed by Microsoft.
The attack, conducted by the China-based threat actor known as Vice Society, impacted thousands of Rackspace customers, leaving them unable to access pre-attack emails. According to a forensic investigation led by CrowdStrike, the FBI, and other experts, the threat actor accessed Rackspace systems using compromised credentials of a customer.
The new exploit method for remote code execution via Outlook Web Access, associated with CVE-2022-41080 and CVE-2022-41082, was discovered during a probe of several Play ransomware intrusions, where Microsoft Exchange was the common entry vector.
Following the attack, Rackspace shifted mostly small- and medium-sized businesses to a Microsoft 365 environment as a precautionary measure. However, Rackspace officials have denied speculation that the attacks stemmed from ProxyNotShell.
In response to the breach, Rackspace Technology has confirmed that the threat actor known as Play was behind the ransomware attack on its Hosted Exchange customers in early December. Despite this confirmation, Rackspace declined to comment on whether any specific ransom was paid in relation to the attack.
Amidst the fallout, Rackspace is facing litigation in a U.S. District Court for alleged failure to secure customer data. The details of the litigation are yet to be disclosed, but it adds to the mounting challenges for the company following the data breach.
As the investigation continues, it is crucial for businesses to remain vigilant and prioritise data security to protect against such threats.
