Rackspace has said its major security incident with its Hosted Exchange service was caused by a ‘zero-day’ exploit, and while the company continues to recover customer data it will not be bringing back the service.

On December 5 Rackspace suffered a major outage with its Hosted Exchange environment. Initially, it blamed the issue on an undisclosed "security incident" before later revealing it to be a ransomware attack. Data recovery efforts began more than two weeks later despite the service still being offline.

Play ransomware uses zero day on Rackspace

In a lengthy update to its status page this week, the company outlined the root cause of the attack, gave a further update to customer data recovery efforts, and confirmed it will not be bringing back the Hosted Exchange service.

Rackspace said that speculation that the root cause of the incident was the result of the ProxyNotShell exploit, the company could “definitively state” this was not the case.

“The forensic investigation determined that the threat actor, known as PLAY, used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment,” the company said. “This zero-day exploit is associated with CVE-2022-41080. Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable.”

Discovered by Microsoft, CVE-2022-41080 is an Exchange Server elevation of privilege vulnerability, allowing attackers to impersonate any other user of the Exchange server and take control of the service. It was given high severity scores when published in November, before the Rackspace incident. A patch from Microsoft is available.

However, according to a CrowdStrike update from December 20, CVE-2022-41080 can be used to achieve remote code execution (RCE) through Outlook Web Access (OWA) after the security firm’s investigations into several Play ransomware incidents.

According to security firm Avertium, Play ransomware (also known as PlayCrypt) is a new ransomware operation that launched in June 2022. It has targeted organizations in Latin America, Europe, and India. The ransomware note left behind contains the single word PLAY, as well as the group’s contact email address, while the extension .play is added after file encryption. Researchers have noted similar behavior and tactics to HIVE, Quantum, and Nokoyawa ransomware. The group is also known to exfiltrate data.

Rackspace Hosted Exchange recovery

Rackspace said, of the almost 30,000 customers on the Hosted Exchange email environment at the time of the attack, the company’s investigation determined the threat actor accessed a Personal Storage Table (PST) of 27 Hosted Exchange customers. Rackspace said it has communicated with all those 27 customers.

“According to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way,” the update noted. “Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.”

On the recovery side, Rackspace said “more than half” of impacted customers have “some or all” of their data available to them for download, but less than 5 percent of those customers had actually downloaded the mailboxes made available.

“This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data,” the company said. “We will continue working to recover all data possible as planned, however, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data. We expect that the on-demand solution will be available within two weeks.”

While the company continues its recovery efforts to save customer data, the service itself will not be recovered. Rackspace said the Hosted Exchange email environment will not be rebuilt as a go-forward service offering.

“Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionality,” Rackspace said.

Hosted Exchange customers will have the option to migrate to Office 365 or Rackspace Email.

“While the Hosted Exchange email environment was a small part of our business, it represents thousands of long-time and loyal customers whom we deeply value. We sincerely thank all of our Hosted Exchange customers for their continued patience and trust in us throughout this process and will continue to work hard to maintain the relationships we have built with them over the years.”