Rackspace, a Texas-based cloud computing company, announced that Play ransomware and not the ProxyNotShell exploit caused last month’s attack that took down its hosted Microsoft Exchange email environments.
On December 2, Rackspace’s hosted Microsoft Exchange email service was taken down by a cyberattack, which was initially attributed to a ransomware infection.
The company then focused on retrieving affected email information, which included user message history and contacts. At the moment, more than half of impacted customers’ data is available for download.
Yet, in the latest released update, Rackspace denies that the ProxyNotShell exploit was to blame for the incident, citing a forensic investigation. According to the company, Play ransomware used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.
Allegedly, this exploit is associated with CVE-2022-41080, identified by Microsoft as a privilege escalation vulnerability.
“Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table (‘PST’) of 27 Hosted Exchange customers,” Rackspace said in a statement.
The company said it had already informed the affected customers and that there is currently no evidence that threat actors might have accessed the data in the PSTs for any of the 27 Hosted Exchange users.
Rackspace also announced that it’s not planning to rebuild the Hosted Exchange email environment as a go-forward service offering but will fully move to Microsoft 365. For customers, price plans will stay the same, considering they choose a similar package.
“Also, Rackspace Email continues to be unaffected and is an alternative option for customers who do not wish to migrate to Microsoft 365,” the company added.
Microsoft Office 365 has recently come under the spotlight for various reported vulnerabilities. As such, WithSecure, formerly known as F-Secure Business, warned of a security flaw in its Message Encryption (OME) that could expose user email content. Additionally, researchers at cloud security firm Proofpoint have discovered that it is possible to encrypt files stored on Microsoft’s cloud apps, SharePoint Online, and OneDrive within the Office 365 suites.
“Once executed, the attack encrypts the files in the compromised users’ accounts. Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys,” the report’s authors said.
More from Cybernews:
Subscribe to our newsletter