You can see previous news in the old version of the news blog. Watch
Procrastination equals: Rackspace Hosted Exchange has suffered a major outage due to a delay in installing patches, but the company does not intend to resume the service.
Rackspace Technology, a cloud service provider, has revealed the causes of a large-scale incident, due to which the Microsoft Exchange service had to be shut down. The cause of the failure was an exploit for a zero-day vulnerability.
The hacker attack was organized in early December 2022. The company said that the reason was the penetration of ransomware into the IT infrastructure. Rackspace cannot cope with the consequences of the incident for several weeks, and the Microsoft Exchange service had to be shut down. California-based Cole & Van Note has already filed a class-action lawsuit against Rackspace due to the unavailability of cloud services.
As it has now become known, the attacker used a previously unknown exploit for the vulnerability described in Microsoft bulletin CVE-2022-41080 to carry out the attack. Initially, it was said that the flaw allows an attacker to elevate privileges in the attacked system. But then it turned out that the hole could be used to remotely execute arbitrary code (CVE-2022-41082) via Outlook Web Access (OWA). The attack was carried out using malware from the PLAY (PlayCrypt) family. Similar attacks have been carried out since the summer of 2022, targeting organizations in Latin America, Europe and India.
Rackspace denied speculation that the ProxyNotShell exploit was the root cause of the incident. A third-party expert told Dark Reading that Rackspace has held back from applying the ProxyNotShell patch due to concerns about possible "authentication errors" that could purportedly crash its Exchange services. As a result, this delay turned into a massive failure, although the company eventually implemented the security measures recommended by Microsoft.
As for Hosted Exchange services, Rackspace does not plan to resume their work. The company is still working on recovering user data. It is said that out of almost 30 thousand users of Hosted Exchange, the attacker gained access to PST files of 27 clients. For more than half of the victims, the data was partially or completely restored, but few people took advantage of the opportunity to download it. “This indicates to us that many of our customers have local backups or archives, and therefore do not need restored information,” the message emphasizes.