Only Those Hosted Exchange Customers at Risk, CrowdStrike Forensic Probe Concludes(euroinfosec) •
January 6, 2023
Hosting giant Rackspace says the ransomware attack against it that came to light last month resulted in Microsoft Exchange data for 27 customer organizations being accessed by attackers.
The 27 organizations were all users of Rackspace’s Hosted Exchange service (see: Rackspace Blames Zero-Day Exploit for Ransomware Hit Success).
Cybersecurity firm CrowdStrike, hired by Rackspace to probe the attack, reports that the attacker “accessed a personal storage table” used to store Exchange data for each of the 27 customers. All have been notified of the data exposure.
“According to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way,” Rackspace says in its Thursday breach update. But absence of evidence does not prove the attackers did not do so. Any customer who hasn’t already been directly notified wasn’t one of the victims, Rackspace says.
After the attack hit last month, Rackspace ceased offering hosted Exchange and has been helping the 30,000 customers who used it to migrate to Microsoft 365 or Rackspace Email.
In the wake of Rackspace’s Dec. 6 warning that it had been hit by ransomware-wielding attackers, some security experts wondered if the company might have failed to protect itself against the ProxyNotShell exploit, which was first spotted in the wild last September.
Last November, Microsoft issued a batch of Exchange patches, including for the two vulnerabilities that comprise ProxyNotShell, which could be used together by attackers to remotely execute code on unpatched Exchange servers. The vulnerabilities are CVE-2022-41040, a server-side request forgery vulnerability attackers can use to access back-end servers, and CVE-2022-41082, which allows remote code execution when Remote PowerShell is activated. By exploiting the first flaw, attackers can trigger the second.
Rackspace reported that it didn’t install the Exchange update from Microsoft because of widespread reports that it could render Outlook Web Access, or OWA, inaccessible. Instead, pending Microsoft releasing a fully working security update, the company put in place Microsoft’s recommended workarounds for blocking attackers from using the two flaws that comprise ProxyNotShell.
On Dec. 20, CrowdStrike released a blog post detailing findings from multiple intrusions that it tied to the Play ransomware group. While that blog post does not name Rackspace as one of the victims, Rackspace later confirmed that CrowdStrike’s findings apply fully to it as well.
CrowdStrike’s blog post reports that Play didn’t use ProxyNotShell against Rackspace and others. Instead, it first targeted a different Exchange vulnerability, CVE-2022-41080, also patched by Microsoft in November. After that, attackers were able to trigger the second vulnerability comprising ProxyNotShell, CVE-2022-41082, even if Exchange users had applied the mitigation advice Microsoft provided in November. Attackers then remotely executed code on Exchange servers.
“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable,” Rackspace says.
Microsoft didn’t respond to a request for comment on when it learned about the attack chain used by the Play group.
Rackspace says its digital forensic investigation has concluded and that additional intelligence has come to light thanks to CrowdStrike’s probe. “We will be sharing more detailed information with our customers and peers in the security community so that, collectively, we can all better defend against these types of exploits in the future,” it says.
Data Restoration Still Underway
Rackspace’s Hosted Exchange offering was primarily used by small and midsize organizations. The company has been working to restore emails for those customers from before Dec. 2, which were rendered inaccessible due to the attack.
Rackspace hasn’t responded to a request for comment about whether the outage is due to attackers crypto-locking its systems or the company’s mitigation of the attack – or a combination of both. It also hasn’t commented on when the attackers first gained access to the Exchange servers, before public signs of the attack began on Dec. 2.
As of Thursday, Rackspace reported that it has restored at least some Hosted Exchange data – and in some cases all data – for 50% of its customers. These are being provided as PST files, which customers can import into Microsoft 365.
Rackspace adds: “Less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived or otherwise do not need the historical data.”
The company says it is continuing to restore all affected data and notifying each customer directly whenever 50% or more of its data has been restored and made available. It is also developing new functionality to make the process more automated.
“In parallel, we are developing an on-demand solution for those customers who do still wish to download their data,” Rackspace says. “We expect that the on-demand solution will be available within two weeks.”