The MS Exchange exploit chain recently revealed by Crowdstrike researchers is how the Play ransomware gang breached the Rackspace Hosted Exchange email environment, the company confirmed last week.
The exploit chains CVE-2022-41082, a RCE flaw, and CVE-2022-41080, a privilege escalation vulnerability, to achieve unrestricted remote access to vulnerable MS Exchange setups.
“We will be sharing more detailed information with our customers and peers in the security community so that, collectively, we can all better defend against these types of exploits in the future,” Rackspace noted in its final update on the concluded forensic investigation.
The attack fallout
Customers attempting to connect to Rackspace’s Hosted Exchange environment started having trouble on December 2, 2022, and soon enough the company confirmed that a security breach had taken place, due to a ransomware attack.
Customers – predominantly small to medium size businesses – stopped receiving and being able to send out emails, and lost access to archived emails. To help them regain email capability, Rackspace offered a free Microsoft Exchange Plan 1 license on Microsoft 365 and advice and support for making the switch, while working on recovering customers’ historical email data.
Over a month later, “more than half of impacted customers have some or all of their data available to them for download,” but less that 5% of them have downloaded those mailboxes.
“This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data,” Rackspace noted, but said that they are nevertheless working to recover all data possible.
Finally, Crowdstrike’s forensic investigation confirmed that the attackers accessed Personal Storage Tables (PSTs) of 27 Hosted Exchange customers, but that there is “no evidence that the threat actor actually viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way.”
What’s next for the customers?
While the company is set to deliver within two weeks an on-demand solution for those customers who wish to download their archived data, there can be no going back to using the Rackspace Hosted Exchange service.
“The Hosted Exchange email environment will not be rebuilt as a go-forward service offering,” Rackspace finally confirmed a move that many expected.
“Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionality. There will be no price increase for our Hosted Exchange customers if they choose to move to Microsoft 365 and select a plan with the same capabilities as they currently have. Every Hosted Exchange customer has the option to migrate and pay exactly what they are paying today or even slightly lower costs and have the same capabilities.”
Customers who don’t want to or can’t migrate to Microsoft 365 – but still have faith in the company’s security capabilities – have been pointed towards the Rackspace Email service.
In the meantime, several class-action lawsuits have been filed against Rackspace across the US due to this incident.
Play ransomware gang grows its arsenal
Rackspace did not disclose whether they have paid the ransom to get the encrypted data decrypted, nor did they share what the asked-for amount was.
The Play ransomware group has also recently hit the city of Antwerp (Belgium) and German hotel chain H-Hotels.
Trend Micro researchers have documented Play ransomware’s attack playbook in September 2022, but obviously the ransomware group’s initial access capabilities have been improved with the use of this new Exchange exploit chain – and Rackspace suffered as a consequence.
“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable,” Rackspace noted. And, unfortunately, too many organizations are lagging considerably when it comes to vulnerability remediation.