Microsoft Hosted Exchange service, which makes it simpler for companies to use their Microsoft Exchange servers for email, starts encountering problems on Friday, December 02. The firm affirmed the issues promptly in the day and let its clients know it needed to shut down the Exchange environment because of what it depicted as a “significant failure”.
Within 24 hours of the disruption starting on Friday, Rackspace revealed that the issues were caused by a “security incident”.
The company has not yet confirmed whether this is ransomware or any other type of cyberattack, and it’s likewise unclear whether there was any data breach including customers or other sorts of data.
This known effect is confined to a portion of our Hosted Exchange Platform. The company further added that its top experts are taking necessary actions to assess and protect the surroundings.
Users have been instructed to switch to Microsoft 365 for email services till the situation is resolved. The company has currently offered free access to its services for impacted users. However, in the last update, Rackspace said it managed to re-establish its email services to thousands of users on Microsoft 365.
To best protect the environment, this will keep on to be an extended outage of Hosted Exchange. Right now, moving to Microsoft 365 is the best solution for users, and we profoundly encourage impacted users to shift to this platform, Rackspace said on Sunday.
Our Cybersecurity Analyst Kevin Beaumont believes that this incident may involve the exploitation of some known vulnerabilities affecting Microsoft Exchange, explicitly CVE-2022-41040 and CVE-2022-41082, which are known as ProxyNotShell.
ProxyNotShell came to light in September month after a Vietnamese cybersecurity company saw it being exploited in certain attacks. Microsoft confirmed this exploitation and linked it to a nation wide hacker group.
The tech giant on the other hand rushed to share mitigations, however, experts suggested this could be easily bypassed. However, Microsoft only released the patches in November.
Cybersecurity official “Beaumont” stated that the Rackspace Exchange server cluster which is currently offline was running a build number from August 2022 a couple of days ago. Taking into account that the ProxyNotShell vulnerabilities were only fixed in November, it’s possible that attackers exploited the flaws to breach Rackspace servers.
Beaumont in his blog post told although this vulnerability needs confirmation, the exploits work without the multi-factor verification as the Exchange server doesn’t yet support Modern Authentication by any means, as Microsoft deprioritized the implementation work.
He further added, ” if you are an MSP running a shared cluster, like Hosted Exchange, it implies that one compromised account on one user will comprise the entire hosted cluster. This is high risk”.