Rackspace, a Texas-based provider of cloud computing services, has revealed that Play ransomware was responsible for a cyberattack on Rackspace’s Microsoft Exchange servers.
This report follows an by Crowdstrike last month, in which Crowdstrike detailed how a ransomware group used a new exploit to hack into Microsoft Exchange servers to gain access to victim networks.
OWASSRF was the exploit that allowed attackers to bypass offered by Microsoft. It likely targeted a critical flaw ( ) which allows remote privilege escalation of Exchange servers.
They were also able to remotely execute code on the servers they targeted by exploiting . This bug was used in ProxyNotShell attacks.
Crowdstrike did not name the victim of the ransomware attack last month, but Rackspace representatives have disclosed in recent as well as emails to BleepingComputer the OWASSRF vulnerability was discovered on their network.
We are confident now that this is a zero day exploit related to CVE-2022-4080. For more details, see a recent created by CrowdStrike. Microsoft revealed CVE-2022-408080 as privilege escalation vulnerability. It did not contain notes about being part of an exploitable Remote Code Execution Chain,” Karen O’Reilly Smith, Rackspace’s Chief Safety Officer told BleepingComputer.
CrowdStrike was a great help in locating this zero-day attack. We will share more information with customers and other security professionals so we can collectively better protect ourselves against future exploits.
Rackspace provided free licenses for customers to move their email to Microsoft 365 from Hosted Exchange since the attack was detected.
Additionally, the company will provide that contain Hosted Exchange data (before December 2) via its customer portal through an automated queue.
“We’re proactively notifying customers who have lost more than 50% of their mailboxes,” said in the incident report.
We are working diligently to upload all the data that remains into the portal. The PST files can be downloaded through the customer portal after 30 days.
Play ransomware attack on Exchange servers
CrowdStrike said the OWASSRF exploit was used to drop remote access tools such as Plink and AnyDesk on Rackspace-compromised servers.
BleepingComputer found out that the Play ransomware tooling, as well as ConnectWise remote management software, was also discovered online by researchers. This will most likely lead to attacks.
Organizations with Microsoft Exchange Servers on premises are advised to immediately apply the Exchange security updates (November 2022 is the minimum level), or disable Outlook Web Access until they can apply CVE-2022-4080 patches.
Numerous victims have submitted ransom notes, samples and other information to the ID Ransomware platform since its inception. This allows them to determine what ransomware they used to encrypt files.
Play Gang affiliates, unlike other ransomware operators, use email to negotiate and won’t provide victims with links to Tor negotiation pages.
They are also stealing the data of their victims before they deploy ransomware payloads. If this isn’t paid, they will threaten to release it online.
The and the were recent Play ransomware victims.