Managed cloud internet hosting providers firm Rackspace Expertise has confirmed that the huge Dec. 2 ransomware assault that disrupted e-mail providers for hundreds of its small-to-midsized enterprise clients got here by way of a zero-day exploit towards a server-side request forgery (SSRF) vulnerability in Microsoft Change Server, aka CVE-2022-41080.
“We at the moment are extremely assured that the basis trigger on this case pertains to a zero-day exploit related to CVE-2022-41080,” Karen O’Reilly-Smith, chief safety officer for Rackspace, instructed Darkish Studying in an e-mail response. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and didn’t embody notes for being a part of a distant code execution chain that was exploitable.”
CVE-2022-41080 is a bug that Microsoft patched in November.
An exterior advisor to Rackspace instructed Darkish Studying that Rackspace had held off on making use of the ProxyNotShell patch amid issues over reviews that it prompted “authentication errors” that the corporate feared might take down its Change Servers. Rackspace had beforehand applied Microsoft’s beneficial mitigations for the vulnerabilities, which Microsoft had deemed a technique to thwart the assaults.
Rackspace employed CrowdStrike to assist with its breach investigation, and the safety agency shared its findings in a weblog submit detailing how the Play ransomware group was using a brand new method to set off the next-stage ProxyNotShell RCE flaw often known as CVE-2022-41082 utilizing CVE-2022-41080. CrowdStrike’s submit didn’t identify Rackspace on the time, however the firm’s exterior advisor tells Darkish Studying that the analysis about Play’s mitigation bypass methodology was the results of CrowdStrike’s investigation into the assault on the internet hosting providers supplier.
Microsoft instructed Darkish Studying final month that whereas the assault bypasses beforehand issued ProxyNotShell mitigations, it doesn’t bypass the precise patch itself.
Patching is the reply if you are able to do it,” the exterior advisor says, noting that the corporate had critically weighed the chance of making use of the patch at a time when the mitigations have been stated to be efficient and the patch got here with danger of taking down its servers. “They evaluated, thought-about and weighed [the risk] they knew about” at the moment, the exterior advisor says. The corporate nonetheless hasn’t utilized the patch because the servers stay down.
A Rackspace spokesperson wouldn’t touch upon whether or not Rackspace had paid the ransomware attackers.