Rackspace Technology now blames Microsoft for failing to disclose that a vulnerability in Microsoft Exchange Server, CVE-2022-41080, could be remotely executed. Rackspace claims it is “highly confident” that a breach of its systems and subsequent ransomware attack involved use of a zero day exploit, or previously unknown vulnerability.
At the beginning of December 2022, Rackspace Technology discovered suspicious activities in its Hosted Exchange email environment, a managed email service offered to SMBs. The managed hosting and cloud services provider then hired CrowdStrike, a global cybersecurity defense company, to assist with the investigation and remediation. Since then, it was determined that the issues were caused by a ransomware attack.
According to the managed cloud service provider, a zero-day exploit linked to a privilege escalation weakness in Microsoft Exchange Server was the source of the ‘PLAY’ ransomware assault against Rackspace. The forensic analysis revealed that the threat actor known as PLAY first gained access to the Rackspace Hosted Exchange email system by means of a previously unidentified security flaw.
Microsoft Exchange Upgrade vs. URL Rewrites
However, Microsoft issued security fixes for the flaws in Microsoft Exchange in November. Microsoft had also issued a warning stating that the security flaws have previously been utilized in zero day attacks.
To protect organizations during the time when security updates were not yet available, Microsoft came up with temporary mitigations that consisted of URL rewrites. The abuse of the security flaws was to be stopped by these URL rewrites. This was only a stopgap approach though, as in November Microsoft advised installing the available updates as a permanent fix.
Rackspace opted against installing the upgrades because they might cause operational issues. It therefore just utilized the URL rewrites. But even after the URL rewrites were made public, it became obvious that they weren’t entirely reliable. Because earlier iterations of URL rewrites did not function properly, Microsoft released changed versions multiple times. In November, Microsoft even advised against using the previously suggested URL rewrites and urged businesses to promptly install the Exchange upgrade.
Microsoft 365
Over the holidays and into the New Year, Rackspace says its team worked diligently to aid in the recovery process.
It turns out that the email environment for Hosted Exchange won’t be rebuilt by Rackspace as a go-forward service. The move of the Hosted Exchange email infrastructure to Microsoft 365, which has a more flexible pricing model and more contemporary features and capabilities, had previously been planned even before the latest security problem.
Every user of Rackspace’s Hosted Exchange solution has the choice to move and pay precisely what they are paying right now, or perhaps somewhat less, while maintaining the same capabilities. Additionally, Rackspace Email provides an alternative option for those who do not want to switch to Microsoft 365.
