Security News

Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution on vulnerable servers through Outlook Web Access. Cybersecurity firm CrowdStrike spotted the exploit while investigating Play ransomware attacks where compromised Microsoft Exchange servers were used to infiltrate the victims' networks.

Microsoft warned today that it will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. "Beginning in early January, we will send Message Center posts to affected tenants about 7 days before we make the configuration change to permanently disable Basic auth use for protocols in scope," The Exchange Team said on Tuesday.

Rackspace has finally confirmed the cause of the ongoing outage of its Hosted Exchange service: it's ransomware. "As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident. We have since determined this suspicious activity was the result of a ransomware incident," the company stated in the newest released service announcement.

Cloud computing company Rackspace has suffered a security breach that has resulted in a still ongoing outage of their Hosted Exchange environment.The connectivity issues for Rackspace Hosted Exchange customers - mostly small to medium size businesses - started on Friday, with users experiencing errors when accessing the Outlook Web App and syncing their email clients.

Some of Rackspace's hosted Microsoft Exchange services have been taken down by what the company has described as a "Security incident". "On Friday, Dec 2, 2022, we became aware of an issue impacting our Hosted Exchange environment. We proactively powered down and disconnected the Hosted Exchange environment while we triaged to understand the extent and the severity of the impact. After further analysis, we have determined that this is a security incident."

American cloud computing services provider Rackspace says an ongoing outage affecting its hosted Microsoft Exchange environments and likely thousands of customers was caused by a security incident. "We are investigating an issue that is affecting our Hosted Exchange environments. More details will be posted as they become available," Rackspace said on Friday night, at 02:49 AM EST, when it acknowledged the outage.

American cloud computing services provider Rackspace is investigating a 12-hour-long and still active outage leading to connectivity issues and affecting hosted Microsoft Exchange environments they manage for their customers. "We are investigating an issue that is affecting our Hosted Exchange environments. More details will be posted as they become available," Rackspace said on Friday night, at 02:49 AM EST, when it acknowledged the outage.

Were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution on the Exchange server itself. It does mean that an automated Python script can't just scan the whole internet and potentially exploit every Exchange server in the world in a matter of minutes or hours, as we saw happen with ProxyLogon and ProxyShell in 2021.

Proof-of-concept exploit code has been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell. Microsoft released security updates to address the two security flaws as part of the November 2022 Patch Tuesday, even though ProxyNotShell attacks have been detected since at least September 2022.

Unlike ProxyShell, the new bugs weren't directly exploitable by anyone with an internet connection and a misguided sense of cybersecurity adventure. We therefore assumed, probably in common with most Naked Security readers, that the patches would arrive calmly and unhurriedly as part of the October 2022 Patch Tuesday, still more than two weeks away.