Rackspace says it is “highly confident” that a breach of its systems and subsequent ransomware attack involved use of a zero day exploit, or previously unknown vulnerability – with the company blaming Microsoft for failing to disclose that a vulnerability in Microsoft Exchange Server, CVE-2022-41080, could be remotely executed.
Rackspace is not referring to some previously wildly unknown Exchange zero day, but yet another bypass for yet another mitigation for yet another Exchange vulnerability: This one an Outlook Web Access (OWA) Server-side Request Forgery dubbed OWASSRF that chains the above vulnerability with CVE-2022-41082 to achieve RCE.
Rackspace's attack: Forensics and restoration
Managed services provider Rackspace was hit by Play ransomware on December 2. The attack hit some 30,000 of its customers’ hosted Exchange mailboxes. Rackspace has since said it is abandoning the managed Exchange offering for Microsoft 365. Restoration of emails has been slow and painful for the company, but it said January 5 that “more than half of impacted customers have some or all of their data available to them for download.”
Rackspace told customers in its final update on the incident: “The forensic investigation determined that the threat actor, known as PLAY, used a previously unknown security exploit to gain initial access. This zero-day exploit is associated with CVE-2022-41080. Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable.”
Microsoft Exchange zero day used in Rackspace ransomware attack
The vulnerability, detailed by CrowdStrike and security providers like Huntress represents just the latest in an often confusing series of vulnerabilities, patches, bypasses, and fresh vulnerabilities that bedevilled Microsoft Exchange throughout 2021 and 2022: Think ProxyShell, ProxyRelay, ProxyNotShell, ProxyNotRelay etc.
Rackspace pointed security professionals to a blog from CrowdStrike on December 21 which said that they had discovered a new exploit method, called OWASSRF, that chains two Microsoft Exchange vulnerabilities, CVE-2022-41080 and CVE-2022-41082, to achieve remote code execution through Outlook Web Access (OWA).
CrowdStrike said that the attack bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell. Those who mitigated, rather than patched, were still exposed.
(Security researchers including Kevin Beaumont had warned of this as early as December 3.)
CrowdStrike found the RCE bug when responding to “several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange” – OWASSRF appears to have been widely abused.
Exchange users unable apply the KB5019758 patch (Rackspace’s customers could be forgiven for thinking that the company should have, irrespective of Microsoft’s disclosure failings) should disable OWA until the patch can be applied and follow Microsoft recommendations to disable remote PowerShell for non-admin users.