"Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations"

Rackspace Technology has confirmed that the December 2022 ransomware attack that disrupted email services for thousands of its Small and Medium-sized Enterprise (SME) clients stemmed from a zero-day exploit against a Server-Side Request Forgery (SSRF) flaw in Microsoft Exchange Server, tracked as CVE-2022-41080. According to an external advisor, Rackspace delayed implementing the ProxyNotShell fix due to claims that it caused "authentication errors" that the company thought could bring down its Exchange Servers. Rackspace had previously applied Microsoft's suggested mitigations for the vulnerabilities, which Microsoft believed to be a means of preventing the attacks. CrowdStrike helped Rackspace with the breach investigation, and the security firm published a blog post describing how the Play ransomware group was adopting a novel way to exploit the CVE-2022-41082 ProxyNotShell Remote Code Execution (RCE) vulnerability via CVE-2022-41080. CrowdStrike's post at the time did not mention Rackspace, but the company's external advisor stated that the research on Play's mitigation bypass approach came from CrowdStrike's investigation into the attack on the hosting services provider. This article continues to discuss new findings regarding the December 2022 ransomware attack on Rackspace.

Dark Reading reports "Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations"