"Rackspace Ransomware Attack Was Executed by Using Previously Unknown Security Exploit"
The Play ransomware group breached the Rackspace Hosted Exchange email system using the MS Exchange exploit chain recently disclosed by Crowdstrike researchers. The attack combines CVE-2022-41082, a Remote Code Execution (RCE) flaw, and CVE-2022-41080, a privilege escalation vulnerability, to get gain remote access to vulnerable MS Exchange installations. Rackspace has not disclosed whether it has paid the ransom to get the encrypted data decrypted, nor has it disclosed the sum demanded. Recent attacks by the Play ransomware group have also affected the Belgian city of Antwerp and the German hotel chain H-Hotels. In September 2022, Trend Micro researchers published the attack playbook for Play ransomware. However, it is evident that the ransomware group's initial access capabilities have been enhanced with the introduction of this new Exchange exploit chain. Rackspace highlights that Microsoft announced CVE-2022-41080 as a privilege escalation issue without noting that it was vulnerable as part of an RCE chain. When it comes to remediating vulnerabilities, a large number of enterprises lag significantly behind. This article continues to discuss the Rackspace ransomware attack, what is next for customers, and the Play ransomware gang's growing arsenal.