Security firm Rubrik is latest to be felled by GoAnywhere vulnerability – Ars Technica
Getty Images
Rubrik, the Silicon Valley data security company, said it experienced a network breach made possible by a zero-day vulnerability in a product it uses called GoAnywhere.
In an advisory released Tuesday, Rubrik CISO Michael Mestrovich said an investigation into the breach found the intruders gained access to primarily internal sales information, including company names and contact information, as well as a limited number of Rubrik dealer orders. The investigation, assisted by an unnamed third-party company, concluded that no sensitive information, such as social security numbers, financial account numbers, or payment card details, was disclosed.
narrow minded
“We have identified unauthorized access to a limited amount of information in one of our non-production IT test environments as a result of the GoAnywhere vulnerability,” Mestrovich wrote. “Based on our current investigation, which is being conducted with the assistance of third-party forensic experts, the unauthorized access did NOT include any data that we secure on behalf of our customers via Rubrik products.”
Mestrovich has omitted important details from disclosure, particularly when the breach happened and when or if Rubrik patched the vulnerability. On February 2, cybersecurity firm Fortra privately warned customers it had identified zero-day exploits against a vulnerability in its GoAnywhere MFT, a managed enterprise file transfer app. Fortra urged customers to take action to mitigate the threat until a patch is available. On February 6th, Fortra fixed the vulnerability tracked as CVE-2023-0669 with the release of version 7.1.2
Without knowing when the intrusion occurred, it is impossible to determine whether the vulnerability was zero-day at the time it was exploited against Rubrik, or whether the breach was due to Rubrik not installing an available patch or others Mitigation measures has been taken in a timely manner.
Rubrik representatives did not respond to an email seeking comment on the timing of the intrusion and when, or whether the company patched or mitigated the vulnerability. This post will be updated when this information later becomes available.
The CVE that passes on
CVE-2023-0669 has proven to be a valuable asset for attackers. Two weeks after Fortra first disclosed the vulnerability, one of the largest hospital chains in the US said hackers exploited it in a breach that gave hackers access to proprietary health information for a million patients. The compromised data included protected health information under the Health Insurance Portability and Accountability Act as well as patients’ personally identifiable information, said hospital chain Community Health Systems in Franklin, Tennessee.
Recently, the Clop dark website claimed that the ransomware group breached Rubrik. As evidence, the threat actor released nine screenshots that appeared to show Rubrik’s proprietary information. The screenshots appear to corroborate Rubrik’s claim that the data obtained in the intrusion was mostly limited to internal sales information.
The Clop site also claimed the group hacked Hatch Bank and provided 10 screenshots that appeared to confirm the claim. Hatch Bank, a bank that provides services to fintech companies, said in late February that it had seen a breach that allowed access to the names and social security numbers of around 140,000 customers. A letter from Hatch Bank to some customers cited a zero-day vulnerability in GoAnywhere as the cause.
If it wasn’t clear before, it should be clear now: CVE-2023-0669 poses a major threat. Anyone using GoAnywhere should make it a priority to investigate their vulnerability to this vulnerability and respond accordingly.