Toni Dimaano Tech 01.05.2023 02:Jan AM EST

Rackspace Names Play Ransomware As Hackers Behind December Attack

Rackspace Technology has acknowledged that the hacker known as Play was responsible for the ransomware attack that impacted email access for its Hosted Exchange customers in early December.

The company told Cybersecurity Drive on Monday that the hacker was identified after a forensic examination led by CrowdStrike, the FBI, and other specialists.

The Attack Was Allegedly Linked To A Zero-Day Exploit As Per Reports

This comes after a report from last month that described a fresh vulnerability that the ransomware gang was using to attack Microsoft Exchange servers and access a victim's networks.

According to reports, bypassing Microsoft's ProxyNotShell URL rewrite mitigations was made possible by the OWASSRF exploit.

This probably occurred as a result of the major vulnerability (CVE-2022-41080) that permits remote privilege escalation on Exchange servers being targeted.

By leveraging CVE-2022-41082, which is the same flaw used in ProxyNotShell attacks, they were also able to get remote code execution on susceptible servers.

With that, the OWASSRF exploit was discovered on Rackspace's network, and Play ransomware was identified as responsible for the ransomware attack last month.

This information was all according to emails from Rackspace officials to Bleeping Computer and recent interviews with local media.

"We thank CrowdStrike for their thorough work in discovering this zero-day exploit during the course of this investigation and will be sharing more detailed information with our customers and peers," says Karen O'Reilly-Smith, Rackspace's Chief Security Officer.

The executive also says that it is imperative that the company share the findings of this investigation with members of the security community in order to defend each other against similar attacks in the future.

Since the incident, Rackspace has given customers free licenses to move their email from its Hosted Exchange infrastructure to Microsoft 365 ever since the attack was identified.

Additionally, the business is striving to send affected individuals download links to their mailboxes as per the Chief Security Officer's statements.

The Attack Was First Spotted From Six Months Ago

As was previously mentioned by Cybersecurity Drive, the ransomware attack hit thousands of Rackspace users and prevented them from accessing emails from before the incident.

On servers compromised by Rackspace, the OWASSRF attack was used to drop remote access programs like Plink and AnyDesk.

The probe also discovered that the ConnectWise remote administration program, which is probably going to be used in assaults, is part of the Play ransomware toolset that was discovered online.

With that, before applying fixes for CVE-2022-41080, it is encouraged for all companies using on-premises Microsoft Exchange servers on their network to immediately deploy the most recent security updates for Exchange.

Numerous victims have uploaded ransom notes and samples to the ID Ransomware platform since the Play ransomware operation launched in June 2022.

It is important to note that recent victims of the Play ransomware include the Belgian city of Antwerp, the German hotel business H-Hotels, and the Córdoba Judiciary in Argentina.