Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations

  /     /     /  
Publicated : 23/11/2024   Category : security


Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations


The hosting provider had not applied Microsofts new patch due to publicly reported issues with the update.



Managed cloud hosting services company Rackspace Technology has confirmed that the massive Dec. 2 ransomware attack that disrupted email services for thousands of its small-to-midsized business customers came via a zero-day exploit against a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, aka
CVE-2022-41080.
We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-41080, Karen OReilly-Smith, chief security officer for Rackspace, told Dark Reading in an email response. Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable.
CVE-2022-41080 is a bug that Microsoft
patched in November

An external advisor to Rackspace told Dark Reading that Rackspace had held off on applying the ProxyNotShell patch amid concerns over reports that it caused authentication errors that the company feared could take down its Exchange Servers. Rackspace had previously implemented Microsofts recommended mitigations for the vulnerabilities, which Microsoft had deemed a way to thwart the attacks.
Rackspace hired CrowdStrike to help with its breach investigation, and the security firm shared its findings in a blog post detailing how the Play ransomware group was
employing a new technique
to trigger the next-stage ProxyNotShell RCE flaw known as CVE-2022-41082 using CVE-2022-41080. CrowdStrikes post did not name Rackspace at the time, but the companys external advisor tells Dark Reading that the research about Plays mitigation bypass method was the result of CrowdStrikes investigation into the attack on the hosting services provider.
Microsoft told Dark Reading last month that while the attack bypasses previously issued ProxyNotShell mitigations, it does not bypass the actual patch itself. 
Patching is the answer if you can do it, the external advisor says, noting that the company had seriously weighed the risk of applying the patch at a time when the mitigations were said to be effective and the patch came with risk of taking down its servers. They evaluated, considered and weighed [the risk] they knew about at that time, the external advisor says. The company still hasnt applied the patch since the servers remain down. 
A Rackspace spokesperson would not comment on whether Rackspace had paid the ransomware attackers.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations