Play ransomware gang behind recent cyber attack on Rackspace

Rackspace has revealed the Play ransomware gang was behind a December attack which took down the company’s hosted Microsoft Exchange email service.

In a status update published on Thursday evening, the cloud computing firm confirmed the ransomware group gained access to Personal Storage Tables (PST) belonging to 27 hosted exchange customers.

Rackspace insisted that, at present, there is no evidence to suggest that threat actors “viewed, obtained, misused, or disseminated” emails or data belonging to the hosted exchange customers.

“No other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident,” the firm said.

At the time of Rackspace’s update, the firm revealed that “more than half” of impacted customers have had “some or all of their data available to them to download”.

“This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data,” the company said.

“We will continue working to recover all data possible as planned, however, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data. We expect that the on-demand solution will be available within two weeks.”

Rackspace added that the hosted Exchange service will not return following the incident.

Rackspace cyber attack

Rackspace first informed customers that it had suffered a breach on 2 December. The attack caused an outage on the company's hosted Microsoft Exchange email service, disrupting affected customers who were left unable to access email services and recover contacts or previous correspondence.

A follow-up disclosure by the firm confirmed that a ransomware attack was to blame for the incident, and subsequently began migrating customers to cloud-based Microsoft 365 services.

Initial speculation suggested that the incident was the result of the ProxyNotShell exploit, Rackspace said. However, the company said it can now “definitively state” that this is not accurate.

An investigation by CrowdStrike found that Play harnessed a zero-day exploit associated with CVE-2022-41080, known as ‘OWASSRF’, as part of the attack.

The OWASSRF zero-day exploits two vulnerabilities, tracked as CVE-2022-41080 and CVE-2022-41082, and enables threat actors to achieve remote code execution (RCE) through Outlook Web Access.

According to CrowdStrike, this method “bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell”.

“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable,” Rackspace added in its update.

CrowdStrike said it discovered this new exploit on the back of an extensive investigation into recent Play ransomware attacks that targeted Microsoft Exchange.

What is Play ransomware?

The Play ransomware group is a relative newcomer to the global cyber crime space. Also known as PlayCrypt, the group is believed to have launched in June 2022 and has already caused significant disruption to a host of major organisations.

The group previously claimed responsibility for an attack on German hotel chain, H-Hotels, and earlier this week the group said it was responsible for an attack on the State of New York (SUNY) Polytechnic.

The attack is thought to be the first major ransomware attack on the education sector so far in 2023, and led to the exposure of sensitive data such as passport information, confidential contracts, and student IDs.

According to research from Avertium, Play has primarily targeted organisations across Latin America, but has also been observed deploying attacks on India, Hungary, Spain, and the Netherlands.

“Play is known for their big game hunting tactics, such as using Cobalt Strike for post-compromise and SystemBC RAT for persistence,” Avertium said in a blog post. “They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange.

“The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.”