Rackspace announced that discontinuing hosted Exchange email services after completing its investigation on last month Ransomware attacks and planned the transition to cloud-based Microsoft 365.
Threat actors exploited the ProxyShell vulnerability to stage the attack. Rackspace had decided not to apply Microsoft’s ProxyNotShell patch to its Exchange Servers and was afraid of reports that the software update caused authentication errors, resulting in the server being down.
Play ransomware group was able to bypass Microsoft’s mitigations with a new exploit abusing the CVE-2022-41080 vulnerability that breached Rackspace’s Hosted Exchange systems.
Rackcspace attackers stolen PST of nearly 27 of its around 30,000 Hosted Exchange customers, but there is no evidence that the threat actors ever viewed or distributed the information.
The email data recovery efforts are still going on. It will offer an on-demand option for customers who want to download their data.
Rackspace said it’s contacting customers for which it has recovered more than half of their mailboxes; their recovered data is available via its customer portal.
For more details, visit https://www.rackspace.com/hosted-exchange-incident-data-recovery-resources