Risk & Repeat: Analyzing the Rackspace ransomware attack

One month after the ransomware attack on cloud provider Rackspace, questions remain about the nature of the attack, as well as the future of the company.

Rackspace last week published a final update detailing the results of the completed forensics investigation into the ransomware attack it suffered in early December. The cloud provider revealed that the attack was conducted by ransomware group Play, which accessed the Personal Storage Tables for 27 out of 30,000 of Rackspace's Hosted Exchange customers.

The attack was delivered via a previously unknown exploit for Microsoft Exchange Server. Known as OWASSRF, the exploit was first reported last month by CrowdStrike, which assisted Rackspace in its incident response investigation. The exploit combines two Exchange Server flaws: elevation of privilege vulnerability CVE-2022-41080 with ProxyNotShell remote code execution flaw CVE-2022-41082.

Additionally, Rackspace announced in its status update that its Hosted Exchange platform, which was the only service affected by the ransomware attack, would be replaced with Microsoft 365 going forward. Following the attack, Rackspace took its Hosted Exchange environment offline and began migrating customers to Microsoft 365.

In this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss latest developments in the Rackspace ransomware attack and some of the looming questions that remain.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a writer, journalist and podcaster based in Boston.