Cybersecurity vendor Rubrik disclosed a data breach Wednesday and attributed the incident to a zero-day vulnerability in Fortra's GoAnywhere MFT software.
In a statement, Rubrik CISO Michael Mestrovich confirmed that attackers accessed information from one of the company's "non-production IT testing environments." While Mestrovich said the attackers did not achieve any lateral movement in the network, the attack forced Rubrik to take its nonproduction infrastructure offline. In addition, the attackers stole corporate data, including customer and partner company names, business contacts and purchase orders.
Mestrovich blamed the initial attack vector on a zero-day flaw, now tracked as CVE-2023-0669, in Fortra's managed file transfer (MFT) software that was disclosed as actively exploited in early February.
"In February of this year, one of our vendors, Fortra, the developers of the GoAnywhere Managed File Transfer, advised of a zero-day remote code execution vulnerability," Mestrovich wrote in the statement. "It has been reported that this vulnerability is being actively exploited across more than 100 organizations globally."
The attack timeline and scope of affected Rubrik data is not entirely clear -- Mestrovich didn't say when Rubrik detected the malicious activity -- but an investigation is ongoing. So far, Mestrovich said the data did not include Social Security numbers, payment card numbers or customer data secured by Rubrik products. Rubrik offers tools and services for zero-trust data protection, ransomware investigations, incident containment and sensitive data discovery.
The Clop ransomware gang posted Rubrik to its public data leak site, which it uses to pressure victims into paying, also on Tuesday just prior to the Mestrovich statement. Clop included Rubrik's headquarters, phone number and revenue -- and under "information," the post said: "coming soon."
Rubrik would not be the first software vendor breached by Clop. In 2020, the ransomware gang leaked stolen data after an attack against German vendor Software AG.
Rubrik declined to comment further and directed TechTarget Editorial to Mestrovich's statement.
Last month's disclosure of the GoAnywhere zero-day featured an unusual process and timeline. Cybersecurity reporter Brian Krebs was the first to issue a public warning on Mastodon about the actively exploited GoAnywhere zero-day on Feb. 2. He said it was privately disclosed in a Fortra bulletin on Feb. 1 for authenticated users only.
In the bulletin, Fortra said exploitation of the zero-day flaw required administrative console access, "which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS)." Fortra warned customers to ensure the administrative console was not exposed to the internet. Mitigation steps were included, but hidden behind the authentication wall.
On Feb. 3, after seeing Krebs' Mastodon post, cybersecurity vendor Rapid7 issued a blog post with a technical analysis and mitigation guidance. At that point, there was no public advisory from Fortra and no available patch. Rapid7 noted that the remote code injection vulnerability was assigned a CVE ID on Feb. 7, and Fortra released a patch on the same day. However, it does not appear that Fortra has issued any public advisories.
In a statement to TechTarget Editorial on Feb. 15, Fortra said it became aware of the GoAnywhere vulnerability on Jan. 30.
"We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorized activity, notifying all customers who may have been impacted, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying our recently developed patch," Fortra wrote in an email.
Arielle Waldman is a Boston-based reporter covering enterprise security news.