According to cybersecurity firm Rubrik, the secure file transfer platform Fortra GoAnywhere has a zero-day vulnerability that was used to steal its data. A cloud data management service called Rubrik provides disaster recovery and enterprise data backup and recovery services.
Rubrik CISO Michael Mestrovichon said that the firm stated it had been the target of a widespread assault employing a zero-day vulnerability targeting GoAnywhere MFT devices all around the world. GoAnywhere is a safe web file transfer tool that enables businesses to securely share encrypted data with partners while maintaining thorough audit trails of file access. Rubrik confirmed that no client data was compromised, and the breach was isolated in an IT testing environment that was not in use.
“We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” as per the Rubrik statement. “Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”
Mestrovichon adds that the test environment was shut down to stop additional attacks and that the threat actors did not migrate laterally to the internal systems. This announcement follows the addition of Rubrik by the Clop ransomware group to their data leak website, where they shared examples of stolen files and said that the data would soon be made available to the public.
The spreadsheets visible in the threat actors’ pictures look to contain internal Rubrik data, including staff names, email addresses, and locations. The Clop ransomware gang has claimed responsibility for the Fortra GoAnywhere assaults, saying they infiltrated 130 businesses to steal data over ten days. The cyberattacks occurred earlier this year, and Fortra revealed that the vulnerability was being actively exploited and issued a fix in February.
The extortion emails from the Clop ransomware group started going out to victims last week as they uploaded them to their data leak site on Friday to gain leverage. Hatch Bank, one of the identified victims, previously declared a data breach resulting from the assaults, claiming that the perpetrators obtained the names and social security information of the victims. Community Health Systems (CHS), a different victim not featured on Clop’s website, also acknowledged that they were compromised via the GoAnywhere vulnerability.