2 min

Tags in this article

, ,

Attackers didn’t get access to customer data.

This week data security company Rubrik announced that it had been the victim of the Fortra GoAnywhere zero-day vulnerability. This threat was exposed on Thursday, February 2, 2023 by security reporter Brian Krebs, who published a warning on Mastodon about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT managed file transfer solution. Fortra (formerly HelpSystems) evidently published an advisory on February 1, but the notice was only available to customers (requiring authentication) and there was no publicly accessible advisory.

NIST assigned the tracking number CVE-2023-0669 to this vulnerability. A patch (7.1.2) was quickly issued by Fortra on February 7. “This patch was created as a result of the issue we disclosed in the Security Advisories published last week related to GoAnywhere MFTaaS”, the company said. “We urgently advise all GoAnywhere MFT customers to apply this patch”.

This week, Rubrik’s chief information security officer Michael Mestrovich published a blog post detailing how attackers had gained access to the company’s nonproduction IT testing environments as a result of the flaw in Fortra’s GoAnywhere file-transfer software. Rubrik uses GoAnywhere for sharing internal data.

No customer data was accessed

Mestrovich was emphatic, however, that Fortra customer data had not been accessed. “We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability”, Mestrovich admitted. “Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products”.

Rubrik appears on ransomware gang list

Rubrik spokesperson Najah Simmons gave a statement to TechCrunch confirming Mestrovich’s assertion, but “declined to answer any additional questions, such as whether Rubrik has received or been made aware of a demand for payment”.

Despite Simmons’s non-comment, TechCrunch reports that Clop, a Russia-linked ransomware group, has been extorting GoAnywhere zero-day victims and claims to have already demanded payment from 130 organisations.

In fact, shortly after Rubrik’s announcement, a listing naming Rubrik appeared on Clop’s dark web leak site. TechCrunch confirmed that “samples of stolen data published by Clop align with Rubrik’s statement that it comprised mostly corporate information”.

Also read: Rubrik introduces Zero Labs, records €400 million annual revenue