Rubrik, the Silicon Valley data security company, said that it experienced a network intrusion made possible by a zero-day vulnerability in a product it used called GoAnywhere.
In an advisory posted on Tuesday, Rubrik CISO Michael Mestrovich said an investigation into the breach found that the intruders gained access to mainly internal sales information, including company names and contact information, and a limited number of purchase orders from Rubrik distributors. The investigation, which was aided by an unnamed third-party company, concluded there was no exposure of sensitive information such as Social Security numbers, financial account numbers, or payment card data.
“We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” Mestrovich wrote. “Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”
Mestrovich left key details out of the disclosure, most notably when the breach happened and when or if Rubrik patched the vulnerability. On February 2, Cybersecurity company Fortra privately warned customers it had identified zero-day exploits of a vulnerability in its GoAnywhere MFT, an enterprise-grade managed file transfer app. Fortra urged customers to take steps to mitigate the threat until a patch became available. On February 6, Fortra fixed the vulnerability, tracked as CVE-2023-0669, with the release of version 7.1.2
Without knowing when the intrusion occurred, it’s impossible to determine if the vulnerability was a zero-day at the time it was exploited against Rubrik, or whether the breach was the result of Rubrik failing to install an available patch or take other mitigation measures in a timely manner.
Representatives of Rubrik didn’t respond to an email seeking comment about the timing of the intrusion and when or if the company patched or mitigated the vulnerability. This post will be updated if this information becomes available later.
The CVE that keeps on giving
CVE-2023-0669 has proven to be a valuable asset to threat actors. Two weeks after Fortra first disclosed the vulnerability, one of the biggest hospital chains in the US said hackers exploited it in an intrusion that gave hackers access to protected health information for one million patients. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients’ personal information, said the hospital chain, Community Health Systems of Franklin, Tennessee.
Recently, Bleeping Computer reported that members of the Clop ransomware gang took credit for hacking 130 organizations by exploiting the GoAnywhere vulnerability. Research from security firm Huntress confirmed that the malware used in intrusions exploiting CVE-2023-0669 had indirect ties to Clop.
Recently, the dark web site for Clop claimed that the ransomware group had breached Rubrik. As proof, the threat actor posted nine screenshots that appeared to show proprietary information belonging to Rubrik. The screenshots appeared to confirm Rubrik’s claim that the data obtained in the intrusion was mostly limited to internal sales information.
The Clop site also claimed that the group had hacked Hatch Bank and provided 10 screenshots that appeared to confirm the claim. A bank that provides services for fintech companies, Hatch Bank said in late February that it had experienced a breach that gave access to names and Social Security numbers of roughly 140,000 customers. A letter Hatch Bank sent to some customers identified a zero-day vulnerability in GoAnywhere as the cause.
If it wasn’t clear before, it should be now: CVE-2023-0669 poses a major threat. Anyone using GoAnywhere should make it a priority to investigate their exposure to this vulnerability and respond accordingly.