The ransomware attack on Rackspace was caused by a zero-day exploit connected to a privilege escalation flaw in Microsoft Exchange Server, according to the cloud service provider.
Rackspace suffered a ransomware attack early last month during which it began to experience outages in its Hosted Exchange service. First describing it as a "security incident," Rackspace confirmed the ransomware attack on Dec. 6. As a result of the outages -- which remain ongoing -- the cloud provider moved to migrate customers to Microsoft 365.
According to a Dec. 27 post on Rackspace's Hosted Exchange outage status page, the company said its email data recovery process was "currently progressing as expected."
Rackspace CSO Karen O'Reilly-Smith said in a statement, which was provided to TechTarget Editorial via email, that the attack was the result of an elevation of privilege vulnerability in Microsoft Exchange Server, CVE-2022-41080, which was initially disclosed and patched in November.
"While there has been widespread speculation that the root cause of this incident was the result of the ProxyNotShell exploit, we can now definitively state that is not accurate. We have been diligent about this investigation -- and prioritizing accuracy and precision in everything we say and do, because our credibility is important to us at Rackspace," O'Reilly-Smith said in the statement.
"We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-41080," the statement continued. "See a recent blog by CrowdStrike for more information. Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable."
CrowdStrike's blog post details "OWASSRF," a new attack technique that exploits CVE-2022-41080 and has been used by the Play ransomware gang to compromise Exchange servers in recent weeks. However, the OWASSRF exploit also used one of the ProxyNotShell zero-day flaws disclosed in September, CVE-2022-41082.
Microsoft ultimately patched the two ProxyNotShell bugs as part of its November Patch Tuesday release, but because no patch was available at the time the zero-days were disclosed, Microsoft had previously provided URL Rewrite instructions to mitigate the flaws. OWASSRF bypasses the mitigations for ProxyNotShell.
An external adviser for Rackspace who wished to remain anonymous confirmed to TechTarget Editorial that Play ransomware actors used the OWASSRF exploit in the attack. The adviser said Rackspace had deployed mitigations for the ProxyNotShell bugs, but had not patched CVE-2022-41082. Similarly, the company had not patched CVE-2022-41080 prior to the Dec. 2 attack because of concerns about reported authentication issues the update caused, which were later fixed.
Although the November patches protect against this new exploit chain, OWASSRF affects organizations that mitigated the ProxyNotShell flaws in September without applying the November updates. According to cybersecurity data collection nonprofit Shadowserver Foundation, approximately 57,000 IP addresses included Exchange Servers still vulnerable to CVE-2022-41082 as of Tuesday.
O'Reilly-Smith said Rackspace will share more detailed information at a later time "so that, collectively, we can all better defend against these types of exploits in the future."
Alexander Culafi is a writer, journalist and podcaster based in Boston.