The ransomware saga for organizations worldwide continues to unfold as we move into 2023. On December 2, 2022, Rackspace, a major cloud computing company that manages private and public cloud deployments, was hit with a ransomware attack on its managed email services.
The ransomware attack on Rackspace has taught us the importance of good cybersecurity habits. Let’s see what we can learn from the attack and how organizations can protect themselves.
Rackspace ransomware attack
Rackspace users suffered from an outage to the Rackspace Hosted Exchange service. After four days, it became apparent that this was not a typical outage.
Rackspace took to social media on December 6, 2022, posting on Twitter that the outage resulted from a ransomware attack.
It was believed that the ransomware attack initially took advantage of the ProxyNotShell vulnerability in Microsoft Exchange. Rackspace has been working with CrowdStrike to help with the investigation.
As a result, Crowdstrike found the attack used the previously unknown zero-day vulnerability that allowed attackers to bypass mitigations that ProxyNotShell Rackspace had in place.
Rackspace urges organizations to read the Crowdstrike information
The Rackspace forensic investigation determined the threat actor is a relatively newer ransomware group known as PLAY. Additionally, it is believed that the PLAY group was financially motivated to carry out the attack and may have gained access to a relatively small number of customers’ email data.
The scope of the attack
How far did the attackers go? Were they able to read customer data? Rackspace has roughly 30,000 customers in its Hosted Exchange environment (around 1 percent of its customer base).
Of the 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table (“PST”) of 27 Hosted Exchange customers.
The CrowdStrike investigation found no evidence that the threat actor viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers.
Exchange vulnerabilities risk of zero days and stolen credentials
The exploit of the Rackspace environment highlighted a new critical remote code execution (RCE) vulnerability in Exchange Server, which was initially patched back in November 2022. However, many organizations had applied vulnerability mitigations and not the patch.
The Play hacker group developed a new exploit, bypassing the mitigations for ProxyNotShell and launching the ransomware attack on the Rackspace Hosted Exchange environment. Crowdstrike has named the new exploit chain combining CVE-2022-41080 and CVE-2022-41082 OWASSRF.
Since the vulnerability was able to bypass the mitigation for the original ProxyNotShell but does not bypass the fixes in the patch, it emphasizes the need to apply proper patches to the environment rather than relying on the initial mitigations to a vulnerability.
It is often the case that attackers combine vulnerabilities, such as ProxyNotShell, along with stolen credentials to carry out an attack. While stolen credentials are not always required, compromised credentials make exploits much easier with valid system access.
Preventing a ransomware attack
Organizations today can prevent a ransomware attack by implementing best practice security recommendations. Attackers can take advantage of compromised credentials, unpatched systems, lax security around remote access systems, and poorly protected web servers.
Let’s look at the following strategies for preventing the domino effect of a ransomware attack:
- Securing remote access systems
- Strengthen password security
Patching is a vital aspect of preventing a ransomware attack. Unfortunately, as shown by the Rackspace attack, attackers often use unpatched vulnerabilities to attack critical systems and launch ransomware attacks. In the case of the Rackspace ransomware attack, hackers could bypass the mitigations but would not have been able to bypass fully patched systems.
Securing remote access systems
Another common attack vector from ransomware groups is insecure remote access systems. Any system available for remote access for legitimate employees is also a target for attackers. For example, organizations have often been attacked using insecure Remote Desktop servers or VPN connections where weak credentials are involved without multi-factor authentication. Therefore, it is essential to strengthen the security of remote access systems, ensuring these are fully patched, and users must use strong passwords for authentication along with multi-factor authentication.
Strengthen password security
Companies must think about improving their password security, as passwords are often the weakest link in most organizations’ security. In addition, users often reuse passwords between accounts and pick easily guessed or previously breached passwords, making them an easy target for compromise.
Many businesses use Microsoft Active Directory Domain Services as their on-premises identity and access management solution for securing resources. However, Active Directory does not contain native tools providing effective modern password policies. In addition, Active Directory native password policies do not protect against breached passwords.
Tools like Specops Password Policy enable organizations to meet the challenges of securing passwords from modern attacks. Organizations can use the existing Group Policies to extend password security using the Specops Password Policy security options.
- Block words common to your organization with custom dictionaries
- Prevent the use of 3+ billion compromised passwords with Breached Password Protection
- Find and remove compromised passwords in your environment
- Real-time, dynamic feedback at password change
- Block usernames, display names, specific words, consecutive characters, incremental passwords, and reuse a part of the current password
- Granular, GPO-driven targeting for any GPO level, computer, user, or group population
Protecting against ransomware
Ransomware is a growing concern for organizations worldwide, as the fallout and consequences of suffering a ransomware attack are usually severe. Significant cybersecurity attacks can lead to lawsuits, regulatory fines, lost customer confidence, and damaged brand reputation, as seen with Rackspace Technology.
As a result, protecting against ransomware attacks and the fallout requires organizations to have a multi-pronged approach to strengthen their security, including patching, securing remote access, and increasing password security.
Specops Password Policy is a solution that allows organizations to improve password security for Active Directory accounts and helps protect against breached and weak passwords
Sponsored and written by Specops Software