Security
Headlines
HeadlinesLatestCVEs

Headline

Rackspace Sunsets Email Service Downed in Ransomware Attack

The hosting services provider shared new details on the breach that took down its Hosted Exchange Email service.

DARKReading
#vulnerability#microsoft#rce#auth

Rackspace has completed its forensic investigation into the Dec. 2 ransomware attack that took down its Hosted Exchange Email service and announced that it will discontinue that offering and transition it to cloud-based Microsoft 365.

The company said it has no plans to rebuild the hosted Exchange server environment, which has been down since the attack, and that it already had been on track to migrate to 365 before the ransomware incident.

Rackspace had decided not to apply Microsoft’s ProxyNotShell patch to its Exchange Servers amid concerns over reports that the software update caused “authentication errors” that the company feared could take down its servers. Instead, it stuck with Microsoft’s recommended mitigations for the vulnerabilities to thwart a ProxyNotShell attack.

That strategy fell apart, as the Play ransomware group was able to bypass Microsoft’s mitigations with a new exploit abusing the CVE-2022-41080 vulnerability that breached Rackspace’s Hosted Exchange systems. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable,” Rackspace noted in a post today.

Play Stole Data from 27 Rackspace Customers

According to the managed cloud hosting services company, the attackers grabbed the Personal Storage Tables (PSTs) of 27 of its around 30,000 Hosted Exchange customers, but there is no evidence the Play hackers ever viewed or distributed the pilfered information. “Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor,” the company said.

“As a reminder, no other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident,” Rackspace asserted.

Meanwhile, the email data recovery efforts remain underway for its Hosted Exchange customers. “As of today, more than half of impacted customers have some or all of their data available to them for download. However, less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data,” Rackspace said. The company also will offer an on-demand option for customers who want to download their data.

Rackspace said it’s contacting customers for which it has recovered more than half of their mailboxes; their recovered data is available via its customer portal. “To check if your historical email data is available, please follow Step 2 on our Data Recovery Resources page (https://www.rackspace.com/hosted-exchange-incident-data-recovery-resources) and see if your mailbox is ready to download,” the company said in its post, which provides additional resources as well.

Related news

Microsoft Advisories Are Getting Worse

A predictable patch cadence is nice, but the software giant can do more.

Ransomware in December 2022

Categories: Threat Intelligence Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in December 2022, and looks at why LockBit had to make a public apology (Read more...) The post Ransomware in December 2022 appeared first on Malwarebytes Labs.

New Wave of Cyberattacks Targeting MS Exchange Servers

By Waqas Cybercriminals are leveraging two exploit chains (ProxyNotShell/OWASSRF) to target Microsoft Exchange servers, as warned by Bitdefender Labs. This is a post from HackRead.com Read the original post: New Wave of Cyberattacks Targeting MS Exchange Servers

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone

Organizations often defer patching because of business disruption fears — but that didn't work out very well for Rackspace's Hosted Exchange service.

Rackspace Confirms Play Ransomware Gang Responsible for Recent Breach

Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month's breach. The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment. "This zero-day exploit is associated with CVE-2022-41080," the Texas-based

Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations

The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.

Ransomware Attackers Bypass Microsoft's ProxyNotShell Mitigations With Fresh Exploit

The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers.

Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations

Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA). "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford,

Microsoft Patch Tuesday November 2022: Exchange ProxyNotShell RCE, JScript9, MoTW, OpenSSL, Edge, CNG, Print Spooler

Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]

CVE-2022-41080

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2022-41080

Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41123.

Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately

Patch Tuesday, November 2022 Election Edition

Let's face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November's patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.

Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”

DARKReading: Latest News

US Ban on TP-Link Routers More About Politics Than Exploitation Risk