- How to clear the cache on your Windows 11 PC (and why you shouldn't wait to do it)
- These Sony headphones deliver premium sound and comfort - without the premium price
- The LG soundbar I prefer for my home theater slaps with immersive audio - and it's not the newest model
- Samsung's new flagship laptop rivals the MacBook Pro, and it's not just because of the display
- Email marketing is back and big social is panicking - everything you need to know
Personal Storage Table Files Accessed in Rackspace Attack
Rackspace has released more details of a ransomware attack in December that caused disruption for its Hosted Exchange customers, claiming that threat actors accessed files that may have contained emails, contacts and other details.
The firm was struck by the Play variant at the start of the month, forcing it to temporarily suspend its Hosted Exchange environment.
In an update yesterday, the hosting giant said that of 30,000 customers using the environment at the time of the attack, 27 had their Personal Storage Table (PST) data accessed.
A PST is a file used by Microsoft programs to store data including emails, calendar events and contacts.
However, Rackspace also sought to reassure these impacted customers with information from its IT forensics partner CrowdStrike.
“We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way,” it said.
“Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.”
The firm also revealed that the initial access vector for the Play affiliate that compromised its environment was zero-day bug CVE-2022-41080. Patched by Microsoft in November, it’s an elevation of privilege vulnerability in Exchange Server.
According to CrowdStrike, the bug was exploited alongside one of the ProxyNotShell vulnerabilities (CVE-2022-41082) to achieve remote code execution through Outlook Web Access (OWA).
“The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell,” it explained.
Citing the research, Rackspace argued that previous reports suggesting that ProxyNotShell itself was the “root cause” of the incident were therefore inaccurate.
“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for [it] being part of a remote code execution chain that was exploitable,” it said.
Editorial credit icon image: T. Schneider / Shutterstock.com
