Managed cloud hosting services company Rackspace Technology has confirmed that the massive Dec. 2 ransomware attack that disrupted email services for thousands of its small-to-midsized business customers came via a zero-day exploit against a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, aka CVE-2022-41080.
"We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-41080," Karen O'Reilly-Smith, chief security officer for Rackspace, told Dark Reading in an email response. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable."
CVE-2022-41080 is a bug that Microsoft patched in November.
An external advisor to Rackspace told Dark Reading that Rackspace had held off on applying the ProxyNotShell patch amid concerns over reports that it caused "authentication errors" that the company feared could take down its Exchange Servers. Rackspace had previously implemented Microsoft's recommended mitigations for the vulnerabilities, which Microsoft had deemed a way to thwart the attacks.
Rackspace hired CrowdStrike to help with its breach investigation, and the security firm shared its findings in a blog post detailing how the Play ransomware group was employing a new technique to trigger the next-stage ProxyNotShell RCE flaw known as CVE-2022-41082 using CVE-2022-41080. CrowdStrike's post did not name Rackspace at the time, but the company's external advisor tells Dark Reading that the research about Play's mitigation bypass method was the result of CrowdStrike's investigation into the attack on the hosting services provider.
Microsoft told Dark Reading last month that while the attack bypasses previously issued ProxyNotShell mitigations, it does not bypass the actual patch itself.
"Patching is the answer if you can do it," the external advisor says, noting that the company had seriously weighed the risk of applying the patch at a time when the mitigations were said to be effective and the patch came with risk of taking down its servers. "They evaluated, considered and weighed [the risk] they knew about" at that time, the external advisor says. The company still hasn't applied the patch since the servers remain down.
A Rackspace spokesperson would not comment on whether Rackspace had paid the ransomware attackers.