Rackspace Sunsets Email Service Downed in Ransomware Attack

The hosting services provider shared new details on the breach that took down its Hosted Exchange Email service.

Rackspace has completed its forensic investigation into the Dec. 2 ransomware attack that took down its Hosted Exchange Email service, and announced that it will discontinue that offering and transition it to cloud-based Microsoft 365.

The company said it has no plans to rebuild the hosted Exchange server environment, which has been down since the attack, and that it already had been on track to migrate to 365 before the ransomware incident.

Rackspace had decided not to apply Microsoft's ProxyNotShell patch to its Exchange Servers amid concerns over reports that the software update caused "authentication errors" that the company feared could take down its servers. Instead, it stuck with Microsoft's recommended mitigations for the vulnerabilities to thwart a ProxyNotShell attack.

That strategy fell apart, as the Play ransomware group was able to bypass Microsoft's mitigations with a new exploit abusing the CVE-2022-41080 vulnerability that breached Rackspace's Hosted Exchange systems. 

"Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable," Rackspace noted in a post today.

Play Stole Data from 27 Rackspace Customers

According to the managed cloud hosting services company, the attackers grabbed the Personal Storage Tables (PSTs) of 27 of its around 30,000 Hosted Exchange customers, but there is no evidence the Play hackers ever viewed or distributed the pilfered information. 

"Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor," the company said. "As a reminder, no other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident."

Meanwhile, the email data recovery efforts remain underway for its Hosted Exchange customers, with more than half of impacted customers regaining access to some or all of their data. Recovered data is available for download via the customer portal, the company said, adding that it plans to offer an on-demand option for customers who want to access their data that way.

"However, less than 5% of those customers have actually downloaded the mailboxes we have made available," Rackspace asserted in its post. "This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data."

Rackspace said it's proactively contacting customers for which it has recovered more than half of their mailboxes. 

"To check if your historical email data is available, please follow Step 2 on our Data Recovery Resources page and see if your mailbox is ready to download," the company said in its post, which provides additional resources as well.