Headline
Rackspace Confirms Play Ransomware Gang Responsible for Recent Breach
Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month’s breach. The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment. “This zero-day exploit is associated with CVE-2022-41080,” the Texas-based
Cloud Security / Cyber Threat
Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month’s breach.
The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.
“This zero-day exploit is associated with CVE-2022-41080,” the Texas-based company said. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable.”
Rackspace’s forensic investigation found that the threat actor accessed the Personal Storage Table (.PST) of 27 customers out of nearly 30,000 customers on the Hosted Exchange email environment.
However, the company said there is no evidence the adversary viewed, misused, or distributed the customer’s emails or data from those personal storage folders. It further said it intends to retire its Hosted Exchange platform as part of a planned migration to Microsoft 365.
It’s not currently not known if Rackspace paid a ransom to the cybercriminals, but the disclosure follows a report from CrowdStrike last month that shed light on the new technique, dubbed OWASSRF, employed by the Play ransomware actors.
The mechanism targets Exchange servers that are unpatched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) but have in place URL rewrite mitigations for the Autodiscover endpoint.
This involves an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution in a manner that bypasses the blocking rules through Outlook Web Access (OWA). The flaws were addressed by Microsoft in November 2022.
The Windows maker, in a statement shared with The Hacker News, urged customers to prioritize installing its November 2022 Exchange Server updates and that the reported method targets vulnerable systems that have not not applied the latest fixes.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The June 2023 Patch Tuesday security update included fixes for a bypass for two previously addressed issues in Microsoft Exchange and a critical elevation of privilege flaw in SharePoint Server.
A predictable patch cadence is nice, but the software giant can do more.
Categories: Threat Intelligence Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in December 2022, and looks at why LockBit had to make a public apology (Read more...) The post Ransomware in December 2022 appeared first on Malwarebytes Labs.
By Waqas Cybercriminals are leveraging two exploit chains (ProxyNotShell/OWASSRF) to target Microsoft Exchange servers, as warned by Bitdefender Labs. This is a post from HackRead.com Read the original post: New Wave of Cyberattacks Targeting MS Exchange Servers
Organizations often defer patching because of business disruption fears — but that didn't work out very well for Rackspace's Hosted Exchange service.
The hosting services provider shared new details on the breach that took down its Hosted Exchange Email service.
The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.
The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers.
Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA). "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford,
Categories: News Categories: Ransomware Tags: Rackspace Tags: Exchange Tags: ransomware Tags: ProxyNotShell Rackspace said a ransomware incident affected its Hosted Exchange environment and caused service disruptions. (Read more...) The post Rackspace confirms it suffered a ransomware attack appeared first on Malwarebytes Labs.
Categories: News Categories: Ransomware Tags: Rackspace Tags: Exchange Tags: ransomware Tags: ProxyNotShell Rackspace said a ransomware incident affected its Hosted Exchange environment and caused service disruptions. (Read more...) The post Rackspace confirms it suffered a ransomware attack appeared first on Malwarebytes Labs.
Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]
Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41123.
By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities
Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately
Let's face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November's patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.
Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”
Hello everyone! This episode will be about Microsoft Patch Tuesday for October 2022, including vulnerabilities that were added between September and October Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. All vulnerabilities: 105Urgent: 2Critical: 1High: 29Medium: 71Low: 2 Let’s take a look at the most interesting vulnerabilities: Two […]
Hello everyone! This episode will be about Microsoft Patch Tuesday for October 2022, including vulnerabilities that were added between September and October Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. All vulnerabilities: 105Urgent: 2Critical: 1High: 29Medium: 71Low: 2 Let’s take a look at the most interesting vulnerabilities: Two […]
Any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.
Any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.
Microsoft Exchange Server Elevation of Privilege Vulnerability.
While organizations wait for an official patch for the two zero-day flaws in Microsoft Exchange, they should scan their networks for signs of exploitation and apply these mitigations.
While organizations wait for an official patch for the two zero-day flaws in Microsoft Exchange, they should scan their networks for signs of exploitation and apply these mitigations.
Even organizations that use Exchange Online may still be affected if they run a hybrid server.
Even organizations that use Exchange Online may still be affected if they run a hybrid server.
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
The "ProxyNotShell" security vulnerabilities can be chained for remote code execution and total takeover of corporate email platforms.
The "ProxyNotShell" security vulnerabilities can be chained for remote code execution and total takeover of corporate email platforms.
Categories: Exploits and vulnerabilities Categories: News Tags: Exchange Tags: ProxyShell Tags: remote PowerShell Tags: web shell Tags: CVE-2022-41040 Tags: CVE-2022-41082 Tags: SSRF Tags: RCE Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers (Read more...) The post Two new Exchange Server zero-days in the wild appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Exchange Tags: ProxyShell Tags: remote PowerShell Tags: web shell Tags: CVE-2022-41040 Tags: CVE-2022-41082 Tags: SSRF Tags: RCE Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers (Read more...) The post Two new Exchange Server zero-days in the wild appeared first on Malwarebytes Labs.
Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is
Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is
Summary Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. At this time, Microsoft is aware of limited … Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More »