3rd Party Risk Management , Governance & Risk Management , Patch Management

Rubrik Breached Via Zero-Day Attack Exploiting GoAnywhere

Company Says Data Breach Ties to Fortra Software Exploit; Nothing Sensitive Stolen
Rubrik Breached Via Zero-Day Attack Exploiting GoAnywhere

Cybersecurity software giant Rubrik has joined the ranks of organizations that fell victim to attackers exploiting a zero-day vulnerability in Fortra's widely used managed file transfer software, GoAnywhere MFT.

See Also: The Complexities of Vulnerability & Patch Management

Rubrik, based in Palo Alto, California, is one of the industry's largest data resilience platforms. The company helps customers restore data after systems crash or get wiped by attackers.

Hackers used a flaw in the GoAnywhere file transfer software to access a nonproduction IT test environment at Rubrik, the company says in a Tuesday data breach notification.

The company says no Social Security numbers, bank account information or payment card details appear to have been exposed. What was stolen was information being stored by the sales department, including some customers' and business partners' names and contact details, as well as some purchase orders logged by Rubrik's distributors.

Rubrik says the breach appeared to be contained to the testing environment.

"The current investigation has determined there was no lateral movement to other environments," said Michael Mestrovich, CISO of Rubrik, who previously served as the CIA's CISO. "Rubrik took the involved nonproduction environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment."

The company has apologized for the breach. It hasn't said when it began or it was detected.

Ransomware Group Claims Credit for Some Attacks

The Clop ransomware group claimed to Bleeping Computer on Feb. 10 that it had been behind the zero-day attacks, saying it had amassed 130 victims over the prior 10-day period.

Community Health Systems and Hatch Bank are among the organizations that have already reported falling victim. On Friday, Clop began adding victims to its data leak site, including Hatch Bank - but not CHS - and emailing victims directly with extortion demands, Bleeping Computer reported.

Hatch Bank last week reported that it had been attacked on Jan. 30 or Jan. 31 and had detected the breach on Feb. 7. It said the breach resulted in the exfiltration of personal information for almost 140,000 customers.

Also last week, Tennessee-based multistate hospital chain CHS reported that it will be notifying up to 1 million individuals that they were victims of its breach. CHS says exposed patient information includes individuals' full names, addresses, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as birthdates and Social Security numbers.

Pre-Authentication Remote Code Execution Flaw

The vulnerability being exploited by attackers, designated as CVE-2023-0669, exists in Windows and Linux versions of GoAnywhere MFT - aka managed file transfer - prior to 7.1.2. The software is sold by Fortra, formerly known as HelpSystems.

The company has more than 3,000 organizations as customers.

The vulnerability in GoAnywhere MFT is a pre-authentication remote code execution flaw. That means attackers can exploit the flaw to remotely execute code of their choosing without having to first authenticate in the GoAnywhere MFT administrative console.

For the attack to succeed, security experts say the administrative console must be internet-exposed.

The first known attacks to exploit the flaw began Jan. 25. On Feb. 1, Fortra issued a security alert and mitigation instructions. On Feb. 7, it released version 7.1.2 of GoAnywhere MFT, which patches the flaw.

Researchers warned that based on the patch details, they were able to quickly and easily build a working exploit for the flaw. Hence while the Clop ransomware group might have been behind the initial wave of attacks, since then, other criminal groups and state-affiliated hacking teams have likely been putting it to use.

The U.S. Cybersecurity and Infrastructure Security Agency and other federal agencies have urged all GoAnywhere MFT users to immediately upgrade their software or use workarounds to mitigate the vulnerability (see: Authorities Warn Healthcare Sector of Ongoing Clop Threats).

As of Feb. 22, more than 999 administrative consoles appeared to be internet-exposed and at risk of being compromised.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.