Rubrik Breached Via Zero-Day Attack Exploiting GoAnywhere
3rd Party Risk Management , Governance & Risk Management , Patch Management
Company Says Data Breach Ties to Fortra Software Exploit; Nothing Sensitive Stolen Mathew J. Schwartz (euroinfosec) • March 15, 2023
Cybersecurity software giant Rubrik has joined the ranks of organizations that fell victim to attackers exploiting a zero-day vulnerability in Fortra’s widely used managed file transfer software, GoAnywhere MFT.
See Also: OnDemand : Learn the ABCs to the 3 V’s of Asset Management
Rubrik, based in Palo Alto, California, is one of the industry’s largest data resilience platforms. The company helps customers restore data after systems crash or get wiped by attackers.
Hackers used a flaw in the GoAnywhere file transfer software to access a nonproduction IT test environment at Rubrik, the company says in a Tuesday data breach notification.
The company says no Social Security numbers, bank account information or payment card details appear to have been exposed. What was stolen was information being stored by the sales department, including some customers’ and business partners’ names and contact details, as well as some purchase orders logged by Rubrik’s distributors.
Rubrik says the breach appeared to be contained to the testing environment.
“The current investigation has determined there was no lateral movement to other environments,” said Michael Mestrovich, CISO of Rubrik, who previously served as the CIA’s CISO. “Rubrik took the involved nonproduction environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment.”
The company has apologized for the breach. It hasn’t said when it began or it was detected.
Ransomware Group Claims Credit for Some Attacks
The Clop ransomware group claimed to Bleeping Computer on Feb. 10 that it had been behind the zero-day attacks, saying it had amassed 130 victims over the prior 10-day period.
Community Health Systems and Hatch Bank are among the organizations that have already reported falling victim. On Friday, Clop began adding victims to its data leak site, including Hatch Bank – but not CHS – and emailing victims directly with extortion demands, Bleeping Computer reported.
Hatch Bank last week reported that it had been attacked on Jan. 30 or Jan. 31 and had detected the breach on Feb. 7. It said the breach resulted in the exfiltration of personal information for almost 140,000 customers.
Also last week, Tennessee-based multistate hospital chain CHS reported that it will be notifying up to 1 million individuals that they were victims of its breach. CHS says exposed patient information includes individuals’ full names, addresses, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as birthdates and Social Security numbers.
Pre-Authentication Remote Code Execution Flaw
The vulnerability being exploited by attackers, designated as CVE-2023-0669, exists in Windows and Linux versions of GoAnywhere MFT – aka managed file transfer – prior to 7.1.2. The software is sold by Fortra, formerly known as HelpSystems.
The company has more than 3,000 organizations as customers.
The vulnerability in GoAnywhere MFT is a pre-authentication remote code execution flaw. That means attackers can exploit the flaw to remotely execute code of their choosing without having to first authenticate in the GoAnywhere MFT administrative console.
For the attack to succeed, security experts say the administrative console must be internet-exposed.
The first known attacks to exploit the flaw began Jan. 25. On Feb. 1, Fortra issued a security alert and mitigation instructions. On Feb. 7, it released version 7.1.2 of GoAnywhere MFT, which patches the flaw.
Researchers warned that based on the patch details, they were able to quickly and easily build a working exploit for the flaw. Hence while the Clop ransomware group might have been behind the initial wave of attacks, since then, other criminal groups and state-affiliated hacking teams have likely been putting it to use.
The U.S. Cybersecurity and Infrastructure Security Agency and other federal agencies have urged all GoAnywhere MFT users to immediately upgrade their software or use workarounds to mitigate the vulnerability (see: Authorities Warn Healthcare Sector of Ongoing Clop Threats).
As of Feb. 22, more than 999 administrative consoles appeared to be internet-exposed and at risk of being compromised.