Rackspace has released more details of a ransomware attack in December that caused disruption for its Hosted Exchange customers, claiming that threat actors accessed files that may have contained emails, contacts and other details.
The firm was struck by the Play variant at the start of the month, forcing it to temporarily suspend its Hosted Exchange environment.
In an update yesterday, the hosting giant said that of 30,000 customers using the environment at the time of the attack, 27 had their Personal Storage Table (PST) data accessed.
A PST is a file used by Microsoft programs to store data including emails, calendar events and contacts.
However, Rackspace also sought to reassure these impacted customers with information from its IT forensics partner CrowdStrike.
“We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way,” it said.
“Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.”
The firm also revealed that the initial access vector for the Play affiliate that compromised its environment was zero-day bug CVE-2022-41080. Patched by Microsoft in November, it’s an elevation of privilege vulnerability in Exchange Server.
According to CrowdStrike, the bug was exploited alongside one of the ProxyNotShell vulnerabilities (CVE-2022-41082) to achieve remote code execution through Outlook Web Access (OWA).
“The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell,” it explained.
Citing the research, Rackspace argued that previous reports suggesting that ProxyNotShell itself was the “root cause” of the incident were therefore inaccurate.
“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for [it] being part of a remote code execution chain that was exploitable,” it said.
Editorial credit icon image: T. Schneider / Shutterstock.com