The hosting services provider shared new details on the breach that took down its Hosted Exchange Email service.

The sun sets into the white-capped waves of Gulf of Mexico near St. Pete, Florida; puffy clouds are orange and red
Source: Prisma by Dukas Presseagentur GmbH via Alamy Stock Photo

Rackspace has completed its forensic investigation into the Dec. 2 ransomware attack that took down its Hosted Exchange Email service, and announced that it will discontinue that offering and transition it to cloud-based Microsoft 365.

The company said it has no plans to rebuild the hosted Exchange server environment, which has been down since the attack, and that it already had been on track to migrate to 365 before the ransomware incident.

Rackspace had decided not to apply Microsoft's ProxyNotShell patch to its Exchange Servers amid concerns over reports that the software update caused "authentication errors" that the company feared could take down its servers. Instead, it stuck with Microsoft's recommended mitigations for the vulnerabilities to thwart a ProxyNotShell attack.

That strategy fell apart, as the Play ransomware group was able to bypass Microsoft's mitigations with a new exploit abusing the CVE-2022-41080 vulnerability that breached Rackspace's Hosted Exchange systems. 

"Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable," Rackspace noted in a post today.

Play Stole Data from 27 Rackspace Customers

According to the managed cloud hosting services company, the attackers grabbed the Personal Storage Tables (PSTs) of 27 of its around 30,000 Hosted Exchange customers, but there is no evidence the Play hackers ever viewed or distributed the pilfered information. 

"Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor," the company said. "As a reminder, no other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident."

Meanwhile, the email data recovery efforts remain underway for its Hosted Exchange customers, with more than half of impacted customers regaining access to some or all of their data. Recovered data is available for download via the customer portal, the company said, adding that it plans to offer an on-demand option for customers who want to access their data that way.

"However, less than 5% of those customers have actually downloaded the mailboxes we have made available," Rackspace asserted in its post. "This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data."

Rackspace said it's proactively contacting customers for which it has recovered more than half of their mailboxes. 

"To check if your historical email data is available, please follow Step 2 on our Data Recovery Resources page and see if your mailbox is ready to download," the company said in its post, which provides additional resources as well.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights