LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Lessons Learned on Ransomware Prevention from the Rackspace Attack

1 year ago 88
BOOK THIS SPACE FOR AD
ARTICLE AD

Hacker typing

The ransomware saga for organizations worldwide continues to unfold as we move into 2023. On December 2, 2022, Rackspace, a major cloud computing company that manages private and public cloud deployments, was hit with a ransomware attack on its managed email services.

The ransomware attack on Rackspace has taught us the importance of good cybersecurity habits. Let's see what we can learn from the attack and how organizations can protect themselves.

Rackspace ransomware attack

Rackspace users suffered from an outage to the Rackspace Hosted Exchange service. After four days, it became apparent that this was not a typical outage.

Rackspace took to social media on December 6, 2022, posting on Twitter that the outage resulted from a ransomware attack.

Graphical user interface, text, applicationDescription automatically generatedAfter the Hosted Exchange outage, Rackspace posted that the outage resulted from ransomware

It was believed that the ransomware attack initially took advantage of the ProxyNotShell vulnerability in Microsoft Exchange. Rackspace has been working with CrowdStrike to help with the investigation.

As a result, Crowdstrike found the attack used the previously unknown zero-day vulnerability that allowed attackers to bypass mitigations that ProxyNotShell Rackspace had in place.

Rackspace urges organizations to read the Crowdstrike information

The Rackspace forensic investigation determined the threat actor is a relatively newer ransomware group known as PLAY. Additionally, it is believed that the PLAY group was financially motivated to carry out the attack and may have gained access to a relatively small number of customers' email data.

The scope of the attack

How far did the attackers go? Were they able to read customer data? Rackspace has roughly 30,000 customers in its Hosted Exchange environment (around 1 percent of its customer base).

Of the 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table ("PST") of 27 Hosted Exchange customers.

The CrowdStrike investigation found no evidence that the threat actor viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers.

Exchange vulnerabilities risk of zero days and stolen credentials

The exploit of the Rackspace environment highlighted a new critical remote code execution (RCE) vulnerability in Exchange Server, which was initially patched back in November 2022. However, many organizations had applied vulnerability mitigations and not the patch.

The Play hacker group developed a new exploit, bypassing the mitigations for ProxyNotShell and launching the ransomware attack on the Rackspace Hosted Exchange environment. Crowdstrike has named the new exploit chain combining CVE-2022-41080 and CVE-2022-41082 OWASSRF.

Since the vulnerability was able to bypass the mitigation for the original ProxyNotShell but does not bypass the fixes in the patch, it emphasizes the need to apply proper patches to the environment rather than relying on the initial mitigations to a vulnerability.

It is often the case that attackers combine vulnerabilities, such as ProxyNotShell, along with stolen credentials to carry out an attack. While stolen credentials are not always required, compromised credentials make exploits much easier with valid system access.

Preventing a ransomware attack

Organizations today can prevent a ransomware attack by implementing best practice security recommendations. Attackers can take advantage of compromised credentials, unpatched systems, lax security around remote access systems, and poorly protected web servers.

Let's look at the following strategies for preventing the domino effect of a ransomware attack:

Patching Securing remote access systems Strengthen password security

Patching

Patching is a vital aspect of preventing a ransomware attack. Unfortunately, as shown by the Rackspace attack, attackers often use unpatched vulnerabilities to attack critical systems and launch ransomware attacks. In the case of the Rackspace ransomware attack, hackers could bypass the mitigations but would not have been able to bypass fully patched systems.

Securing remote access systems

Another common attack vector from ransomware groups is insecure remote access systems. Any system available for remote access for legitimate employees is also a target for attackers. For example, organizations have often been attacked using insecure Remote Desktop servers or VPN connections where weak credentials are involved without multi-factor authentication. Therefore, it is essential to strengthen the security of remote access systems, ensuring these are fully patched, and users must use strong passwords for authentication along with multi-factor authentication.

Strengthen password security

Companies must think about improving their password security, as passwords are often the weakest link in most organizations' security. In addition, users often reuse passwords between accounts and pick easily guessed or previously breached passwords, making them an easy target for compromise.

Many businesses use Microsoft Active Directory Domain Services as their on-premises identity and access management solution for securing resources. However, Active Directory does not contain native tools providing effective modern password policies. In addition, Active Directory native password policies do not protect against breached passwords.

Tools like Specops Password Policy enable organizations to meet the challenges of securing passwords from modern attacks. Organizations can use the existing Group Policies to extend password security using the Specops Password Policy security options.

Password PolicySpecops: Password Policy
Block words common to your organization with custom dictionaries Prevent the use of 3+ billion compromised passwords with Breached Password Protection Find and remove compromised passwords in your environment Real-time, dynamic feedback at password change Block usernames, display names, specific words, consecutive characters, incremental passwords, and reuse a part of the current password Granular, GPO-driven targeting for any GPO level, computer, user, or group population

Protecting against ransomware

Ransomware is a growing concern for organizations worldwide, as the fallout and consequences of suffering a ransomware attack are usually severe. Significant cybersecurity attacks can lead to lawsuits, regulatory fines, lost customer confidence, and damaged brand reputation, as seen with Rackspace Technology.

As a result, protecting against ransomware attacks and the fallout requires organizations to have a multi-pronged approach to strengthen their security, including patching, securing remote access, and increasing password security.

Specops Password Policy is a solution that allows organizations to improve password security for Active Directory accounts and helps protect against breached and weak passwords

Sponsored and written by Specops Software

Read Entire Article
  3. Lessons Learned on Ransomware Prevention from the Rackspace Attack

Related

Android bug can leak DNS traffic with VPN kill switch enabled

Android bug can leak DNS traffic with VPN kill switch enabled

You get a passkey, you get a passkey, everyone should get a passkey

You get a passkey, you get a passkey, everyone should get a passkey

NSA warns of North Korean hackers exploiting weak DMARC email policies

NSA warns of North Korean hackers exploiting weak DMARC email policies

Google rolls back reCaptcha update to fix Firefox issues

Google rolls back reCaptcha update to fix Firefox issues

NATO and EU condemn Russia's cyberattacks against Germany, Czechia

NATO and EU condemn Russia's cyberattacks against Germany, Czechia

Microsoft rolls out passkey auth for personal Microsoft accounts

Microsoft rolls out passkey auth for personal Microsoft accounts

Trending

1. HD Revanna
2. Zakia Wardak Afghanistan
3. WWE Backlash 2024
4. Poonch
5. Man City vs Wolves
6. Arvinder Singh Lovely
7. Drake
8. Real Madrid vs cádiz
9. ISL
10. Arsenal vs Bournemouth

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved