Ransomware, Content, Breach, Content

Rackspace Update: Hackers Used Zero-Day Exploit in Ransomware Attack

Cloud computing company and managed service provider (MSP) Rackspace, a top 250 public cloud MSP, has determined that the root cause of the ransomware attack that hit the company early in December was the result of a zero-day exploit CVE-2022-41080 previously disclosed by Microsoft as a privileged escalation vulnerability.

Threat Actor Play Deemed Responsible

Early speculation was the incident resulted from the ProxyNotShell exploit. But in an incident update the San Antonio, Texas-based Rackspace said that a forensic analysis determined that the threat actor, known as Play, used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.

At the time, Rackspace said the event “may result in a loss of revenue for the Hosted Exchange business, which generates approximately $30 million of annual revenue.” The hack came at a difficult time for the company, which has posted a string of quarterly losses and seen its stock price drop by 80% in the past year.

While Microsoft had disclosed the exploit and patched it in November 2022, it did not include notes for being part of a Remote Code Execution chain that was exploitable, Rackspace said.

“We have been diligent about this forensic investigation and prioritizing accuracy and precision in everything we say and do, because our credibility is important to us at Rackspace,” the company said.

Of the roughly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation found that the cyber crew gained access to a Personal Storage Table (PST) of 27 Hosted Exchange customers. PST files are used to store backup and archived copies of emails, calendar events and contacts from Exchange accounts and email inboxes.

“We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused or disseminated any of the 27 Hosted Exchange customers’ emails or data in the PSTs in any way,” said Rackspace.

The company added that customers that haven’t been contacted directly can “be assured” that their data was not accessed by attackers.

What's Next for Rackspace?

The company’s hosted Exchange service will not be rebuilt as a service offering. Prior to the incident, Rackspace planned to migrate the Hosted Exchange email environment to Microsoft 365 because it has a better pricing model, the public cloud provider said.

Rackspace explained that its forensic analysis marks the final update to its status page:

“Our customer support teams will continue to work directly with customers to make their data available for download and remain on standby for any additional customer questions."

Meanwhile, Rackspace founder Richard Yoo told the San Antonio Express News that the company’s reputation is “eroding rapidly” after years of changing business plans, executive suite overhauls, financial losses, workforce reductions, culminating in the ransomware attack.

“This is not a company that’s on a trajectory of growth. They’re on a trajectory of death. It will not be around,” he said.

According to Yoo, there’s “no culture” at the company after it laid off hundreds of local personnel while expanding globally.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.