Rackspace has completed its forensic investigation into the Dec. 2 ransomware attack that took down its Hosted Exchange Email service and announced that it will discontinue that offering and transition it to cloud-based Microsoft 365.
The company said it has no plans to rebuild the hosted Exchange server environment, which has been down since the attack, and that it already had been on track to migrate to 365 before the ransomware incident.
Rackspace had decided not to apply Microsoft’s ProxyNotShell patch to its Exchange Servers amid concerns over reports that the software update caused “authentication errors” that the company feared could take down its servers. Instead, it stuck with Microsoft’s recommended mitigations for the vulnerabilities to thwart a ProxyNotShell attack.
That strategy fell apart, as the Play ransomware group was able to bypass Microsoft’s mitigations with a new exploit abusing the CVE-2022-41080 vulnerability that breached Rackspace’s Hosted Exchange systems. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable,” Rackspace noted in a post today.
According to the managed cloud hosting services company, the attackers grabbed the Personal Storage Tables (PSTs) of 27 of its around 30,000 Hosted Exchange customers, but there is no evidence the Play hackers ever viewed or distributed the pilfered information. “Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor,” the company said.
“As a reminder, no other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident,” Rackspace asserted.
Meanwhile, the email data recovery efforts remain underway for its Hosted Exchange customers. “As of today, more than half of impacted customers have some or all of their data available to them for download. However, less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data,” Rackspace said. The company also will offer an on-demand option for customers who want to download their data.
Rackspace said it’s contacting customers for which it has recovered more than half of their mailboxes; their recovered data is available via its customer portal. “To check if your historical email data is available, please follow Step 2 on our Data Recovery Resources page (https://www.rackspace.com/hosted-exchange-incident-data-recovery-resources) and see if your mailbox is ready to download,” the company said in its post, which provides additional resources as well.