Texas-based cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a recent cyberattack that destroyed the company’s hosted Microsoft Exchange environments.

This follows a report last month by cybersecurity firm Crowdstrike, which detailed a new exploit used by the ransomware group to compromise Microsoft Exchange servers and gain access to a victim’s networks.

The exploit (dubbed OWASSRF) allowed attackers to bypass ProxyNotShell URL Rewrite Mitigation provided by Microsoft likely targeting a critical flaw (CVE-2022-41080) that allows remote privilege elevation on Exchange servers.

They also succeeded in obtaining remote code execution on vulnerable servers by abusing CVE-2022-41082the same bug exploited in the ProxyNotShell attacks.

Although Crowdstrike did not name the victim in its report, Rackspace officials recently revealed local media interviews and emails to BleepingComputer stating that the OWASSRF exploit was found on its network and that Play ransomware was behind last month’s ransomware attack.

“We are now very confident that the root cause in this case relates to a zero-day exploit associated with CVE-2022-41080. See a recent Blog by CrowdStrike for more information. Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a chain of remote code execution that was exploitable,” said Karen O’Reilly- Smith, Rackspace Security Manager, at BleepingComputer.

“We thank CrowdStrike for their thorough work in uncovering this zero-day exploit during this investigation and will share more detailed information with our customers and our peers in the security community so that collectively we can all better ourselves. defend against these types of exploits in the future.”

Since the discovery of the attack, Rackspace has provided its customers with free licenses to migrate their email from its Hosted Exchange platform to Microsoft 365.

The company also strives to provide affected users upload links to their mailboxes (containing Hosted Exchange mail data prior to December 2) through its customer portal through an automated queue.

“We are proactively notifying customers where we have recovered more than 50% of their mailboxes,” the company said. said on the incident report page.

“We are still working meticulously to upload the remaining data to the portal. Once available for download, the PST files will be available through the customer portal for 30 days.”

Defend Exchange servers against Play ransomware attacks

CrowdStrike said the OWASSRF exploit was used to remove remote access tools such as Plink and AnyDesk from servers compromised by Rackspace.

BleepingComputer also discovered that the Play ransomware tool found online by researchers also contains ConnectWise remote administration software, which will likely be deployed in attacks.

All organizations with on-premises Microsoft Exchange servers on their network are advised to immediately apply the latest Exchange security updates (November 2022 being the minimum patch level) or disable Outlook Web Access (OWA) until so that they can apply patches for CVE-2022-41080.

Operation Play ransomware was first spotted in June 2022, after the first victims started asking for help in the IT Forums.

Since its launch, dozens of victims have uploaded ransom notes and samples to the ID Ransomware platform to identify which ransomware was used to encrypt their files.

Unlike most ransomware operations, Play gang affiliates use email as their negotiation channel and will not provide victims with a link to a Tor negotiations page in ransom notes dropped on encrypted systems.

However, they steal data from their victims’ networks before deploying ransomware payloads and will threaten to leak it online if the ransom is not paid.

Recent Play ransomware victims include the German hotel chain H-Hotels, Argentinian Judiciary of Córdobaand the Belgium city of Antwerp.