# Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations
Source URL:     https://www.darkreading.com/cloud/rackspace-ransomware-attack-microsoft-exchange-server-zero-day-exploit
Date:           20230104T2321

Managed cloud hosting services company Rackspace Technology has
confirmed that the massive Dec. 2 ransomware attack that disrupted email
services for thousands of its small-to-midsized business customers came
via a zero-day exploit against a server-side request forgery (SSRF)
vulnerability in Microsoft Exchange Server, aka [CVE-2022-41080.][1]

"We are now highly confident that the root cause in this case pertains
to a zero-day exploit associated with CVE-2022-41080," Karen O'Reilly-
Smith, chief security officer for Rackspace, told Dark Reading in an
email response. "Microsoft disclosed CVE-2022-41080 as a privilege
escalation vulnerability and did not include notes for being part of a
remote code execution chain that was exploitable."

CVE-2022-41080 is a bug that Microsoft [patched in November][2].

An external advisor to Rackspace told Dark Reading that Rackspace had
held off on applying the ProxyNotShell patch amid concerns over reports
that it caused "authentication errors" that the company feared could
take down its Exchange Servers. Rackspace had previously implemented
Microsoft's recommended mitigations for the vulnerabilities, which
Microsoft had deemed a way to thwart the attacks.

Rackspace hired CrowdStrike to help with its breach investigation, and
the security firm shared its findings in a blog post detailing how the
Play ransomware group was [employing a new technique][1] to trigger the
next-stage ProxyNotShell RCE flaw known as CVE-2022-41082 using
CVE-2022-41080. CrowdStrike's post did not name Rackspace at the time,
but the company's external advisor tells Dark Reading that the research
about Play's mitigation bypass method was the result of CrowdStrike's
investigation into the attack on the hosting services provider.

Microsoft told Dark Reading last month that while the attack bypasses
previously issued ProxyNotShell mitigations, it does not bypass the
actual patch itself.

Patching is the answer if you can do it," the external advisor says,
noting that the company had seriously weighed the risk of applying the
patch at a time when the mitigations were said to be effective and the
patch came with risk of taking down its servers. "They evaluated,
considered and weighed [the risk] they knew about" at that time, the
external advisor says. The company still hasn't applied the patch since
the servers remain down.

A Rackspace spokesperson would not comment on whether Rackspace had paid
the ransomware attackers.

Keep up with the latest cybersecurity threats, newly-discovered
vulnerabilities, data breach information, and emerging trends. Delivered
daily or weekly right to your email inbox.

[Subscribe][3]

  [1]: https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  [2]: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040
  [3]: https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa3135&ch=dr_eoa (Subscribe)

You are viewing proxied material from tilde.team. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.