Rubrik is the Third Company to Confirm Data Breach Through GoAnywhere Bug

Community Health Systems (CHS), Hatch Bank, and now Rubrik are among the 130 victim organizations.

March 16, 2023

Rubrik Confirms Data Breach

This week, California-based cloud data management and data security company Rubrik confirmed that it suffered a data breach in February 2023 due to a zero-day vulnerability in a third-party product it was using. Rubrik is possibly one of the hundreds of companies that have fallen victim to cyber intrusions through the Fortra GoAnywhere vulnerability.

In an advisoryOpens a new window published on March 14, 2023, Rubrik CISO Michael Mestrovich confirmed compromise of and unauthorized access to a “limited amount of information.” This includes internal sales information, which includes certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors.

The cyber incident impacted one non-production IT testing environment and didn’t affect sensitive personal data such as social security numbers, financial account numbers, or payment card numbers.

GoAnywhere developer Fortra notified users of the vulnerability in the file transfer application through an advisory dated February 1, 2023. Tracked as CVE-2023-0669, the zero-day vulnerability was patched by Fortra by February 7, but not before security reporter Brian Krebs publicly sharedOpens a new window the restricted advisory by the Minnesota-based company.

A successful exploit of CVE-2023-0669 allows threat actors to gain remote code execution capabilities on vulnerable GoAnywhere Managed File Transfer.

“The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS),” Fortra noted.

The company also provided mitigation steps before releasing a patch and instituted a temporary service outage at the time to minimize the impact.

Between the time CVE-2023-0669 came to light and was patched, the Clop ransomware gang told BleepingComputerOpens a new window that they successfully targeted and stole data from 130 companies. The ransomware syndicate added that they could move laterally within networks and release ransomware payloads for system and data encryption but decided against it, though with no proof that they could.

See More: Microsoft Patches 80 Vulnerabilities, Including Two Actively Exploited Ones

Other companies impacted by GoAnywhere vulnerability

So far, Community Health Systems (CHS), Hatch Bank, and now Rubrik have confirmed attacks.

CHS is a Tennessee-based Fortune 500 company and one of the biggest healthcare providers in the U.S., with nearly 80 hospitals spread across 16 states. In the company’s February 13 filingOpens a new window with the Securities and Exchange Commission (SEC), the company disclosed that protected health information and personal information of up to one million individuals could have been stolen.

“While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care,” the CHS filing reads.

Later, in the first week of March, Hatch Bank disclosedOpens a new window to the Maine attorney general that it suffered a breach in late February. The digital and traditional banking services provider estimated the number of people whose names and Social Security numbers were exposed and exfiltrated to be 139,493.

Rubrik is now listed on the Clop ransomware leak site as one of the victims.

The CVE-2023-0669 is eerily similar to the one in Accellion’s file transfer tool that was exploited to target the Reserve Bank of New Zealand, Morgan Stanley, Shell, Qualys, Singtel, Bombardier, Kroger, Washington State Auditor Office, the Australian Securities and Investments Commission (ASIC), University of Colorado, University of California, and more.

Accellion’s vulnerable File Transfer Appliance (FTA)  reached end-of-life on April 2021 after being used to victimize nearly 300 organizations starting in December 2020.

While GoAnywhere MFT has been patched, it is unclear how many more companies will emerge as victims due to the vulnerability. Fortra counts the University of Cincinnati, Think Mutual Bank, Nemour, Florida’s Public Defender’s Office 4th Circuit, Adams County in Colorado, Alliant Credit Union, and others as MFT customers.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON VULNERABILITIES AND DATA BREACHES

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.