rackspace officially confirmed that the PLAY group is responsible for December 2. Attackers gained access to the RACKSPACE HOSTED Exchange email service using the exploit of zero day.
As the company representatives say, the exploit is associated with the vulnerability of raising privileges under the identifier cve- 2022-41080 . The investigation conducted by RackSpace showed that hackers were able to access postal correspondence, calendar-planners, tasks, targeted book and other data in PST-Storage Table) 27 RACKSPACE clients. However, the company said that there is no evidence of the use or distribution of these data. Now the organization plans to curtail the Hosted Exchange service and transfer 30,000 customers to the new Microsoft 365.
It is still unknown whether RackSpace paid to the cybercriminals.
It is worth noting that the message about what happened followed report Crowdstrike ibbers , shed light on the new attack method used by Play group. The technique was called Owassrf, it is used to conduct cyber attacks on Exchange servers, to which patches that eliminate the vulnerabilities of cve -2022-41040 and cve-2022-41082 . According to experts, the consistent use of the CVE-2022-41080 and CVE-2022-41082 allows hackers to remotely execute an arbitrary code bypassing the Outlook Web Access (OWA) blocking rules.