Security Firm Rubrik breached by Clop gang through GoAnywhere Zero-Day exploitation

Data security firm Rubrik discloses a data breach, attackers exploited recent GoAnywhere zero-day to steal its data.

Cybersecurity firm Rubrik disclosed a data breach, a ransomware group stolen compeny data by exploiting the recently disclosed zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform.

The company was the victim of a large-scale campaign targeting GoAnywhere MFT devices worldwide by exploiting the zero-day vulnerability.

Rubrik immediately launched an investigation into the incident with the help of third-party forensics experts.

In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by “system.”

According to a statement published by Rubrik, the breach was quickly contained and only impacted a non-production IT testing environment.

“We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability. Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.” reads the statement.  

“The current investigation has determined there was no lateral movement to other environments. Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment.” 

The company states that stolen data include internal sales information, certain customer and partner company information, and a limited number of purchase orders from its distributors. The company pointed out that customer data was impacted by the security breach.

“The involved data mainly consists of Rubrik internal sales information, which includes certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors. The third-party firm has also confirmed that no sensitive personal data such as social security numbers, financial account numbers, or payment card numbers were exposed.” continues the statement.

The company disclosed the data breach after the Clop ransomware group added Rubrik to the list of victims on the Tor leak site.

The gang also published samples of stolen documents as proof of the hack.

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.

Other organizations breached by exploiting the flaw in the Fortra’s GoAnywhere MFT secure file transfer are the Hatch Bank and the Community Health Systems. At this time, the Clops ransomware group only added the bank to the list of victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)