Rackspace has acknowledged that it was hit by the Play ransomware a month ago in an attack that compromised customers’ Microsoft Exchange accounts. The attackers apparently leveraged a zero-day vulnerability called OWASSRF that was recently analyzed by CrowdStrike.
In an interview with the San Antonio Express-News, Rackspace chief product officer John Prewitt said the company hadn’t implemented Microsoft’s November 2022 patches for the ProxyNotShell flaws in Exchange because of reported issues with them.
Still, company chief security officer Karen O’Reilly-Smith told the Express-News that the breach was due to a different exploit than ProxyNotShell.
New Exploit Identified
In a December 20 blog post, CrowdStrike researchers warned of a new exploit method they’re calling OWASSRF, which appears to have been the one leveraged in this case.
While investigating some recent Play ransomware attacks, the researchers found that the ProxyNotShell flaws hadn’t been exploited for access. “Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange,” they wrote.
The CrowdStrike blog post details the differences between ProxyNotShell and OWASSRF. Critically, the new attack appears to exploit a privilege escalation flaw, CVE-2022-41080, with a CVSS score of 8.8, which was also part of Microsoft’s November 2022 Patch Tuesday.
Key mitigations advised by CrowdStrike include the following:
- Apply the November 8, 2022 patches for Exchange, since the URL rewrite mitigations for ProxyNotShell are not effective against OWASSRF.
- If you can’t apply the patch immediately, disable OWA until the patch can be applied.
- Follow Microsoft recommendations to disable remote PowerShell for non-administrative users where possible.
Moving on from Exchange
In a statement yesterday, Rackspace acknowledged that its forensic investigation had found “that the threat actor, known as PLAY, used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.”
“This zero-day exploit is associated with CVE-2022-41080,” the company added. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable.”
The biggest cloud services providers typically patch continuously to keep their systems secure, so the Rackspace oversight is a rare breach of a major cloud company.
Rackspace also reported that its investigation had found that the attacker or attackers accessed a Personal Storage Table (PST) of 27 Hosted Exchange customers, each of whom have been notified. “Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat attacker,” the company wrote.
Rackspace doesn’t plan to rebuild its Hosted Exchange email environment going forward, since migration had already been planned to Microsoft 365.