Search This Blog

Powered by Blogger.

Blog Archive

Labels

Rackspace: Ransomware Bypasses ProxyNotShell Mitigations

A publicly reported issue with Microsoft's new patch prevented the web hosting provider from applying it.

 


According to Rackspace Technology, a cloud hosting company that provides managed cloud services, the massive December 2 attacks have caused the company to take action. As part of the attack, thousands of small and midsized businesses suffered disruption in their email services due to a zero-day exploit against a vulnerability in Microsoft Exchange Server called server-side request forgery (SSRF), or CVE-2022-41080. 

According to Karen O'Reilly-Smith, the chief security officer at Rackspace, in an email response, the root cause of this vulnerability is a zero-day exploit associated with CVE-2022-41080. It has been reported that Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include any notes on the fact that it was part of a remote execution chain that was exploitable. 

According to a third-party advisor to Rackspace, the company had yet to apply the ProxyNotShell patch because the company was concerned that it may cause "authentication errors" that could take down its Exchange servers, as well as other potential issues. As part of its mitigation strategies for the vulnerabilities, Rackspace had already implemented Microsoft's mitigation recommendations, which the software giant had deemed as a means of preventing attacks. 

A security firm called CrowdStrike was hired by Rackspace for its breach investigation, and CrowdStrike posted its findings in an open blog post on its findings. CrowdStrike explained how the Play ransomware group had used a newly developed technique to exploit a new ProxyNotShell RCE vulnerability called CVE-2022-41080 and CVE-2022-41082. 

According to a report, CrowdStrike's post about who beat Backdoor Play was the outcome of the company's investigation into the attack against Rackspace. However, the company's external advisor told us that the research about Play's bypass method was the result of CrowdStrike's investigation into the attack. 

Last month, Microsoft informed Dark Reading that while the attack bypasses mitigations provided by previous releases of ProxyNotShell, it does not bypass the actual patch that is being applied to the system.  

'Patching - if you can do so - is the answer,' says an external advisor, pointing out that the company had weighed the risks and benefits of patching at the time when mitigations were said to have been effective and on the other hand, the patch had the potential to take their servers down. The external advisor's report states that at the time when the risk was being evaluated, considered, and weighed, they were aware of it. Because the patch has not yet been applied, the servers remain unavailable.  

According to a Rackspace spokesperson, the company has not responded to questions about whether or not the ransomware attackers have been paid.
Share it:

Cloud Services

Microsoft

ProxyNotShell

Rackspace

Ransomware

Vulnerabilities and Exploits