weerapat1003 - stock.adobe.com

Rubrik customer, partner data exposed in possible Clop attack

Rubrik was supposedly compromised by the Clop ransomware gang via a zero-day vulnerability in a managed file transfer software package it uses

Rubrik, a supplier of cloud data management and security services, has disclosed a data breach, possibly attributable to the Clop (aka Cl0p) ransomware operation, arising through a previously reported zero-day in a third-party supplier’s managed file transfer (MFT) software.

The issue, found in Fortra’s GoAnywhere MFT product, was first communicated to Rubrik in February of 2023. The zero-day in question, CVE-2023-0669, is a pre-authentication command injection vulnerability in GoAnywhere’s Licence Response Servlet leading to remote code execution (RCE).

The vulnerability was patched in version 7.1.2, but not before Clop used it in over 130 known cyber attacks. The gang is known to be particularly partial to exploiting issues in file transfer products and services.

Rubrik – one of many tech firms with a heritage in storage that is now transitioning into the world of cyber security – said its investigation had now determined that an attacker had indeed accessed its systems having exploited CVE-2023-0669,

Rubrik gave no indication itself as to whether or not Clop accessed its systems, and did not explicitly state it has fallen victim to a ransomware attack. However, the gang is understood to have listed Rubrik on its dark web leak site and may be threatening to release data.

Michael Mestrovich, Rubrik CISO, said: “We detected unauthorised access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability.

“Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorised access did not include any data we secure on behalf of our customers via any Rubrik products.”

While this may be the case, the forensic review has, however, found the exposed data does relate to some of its customers and channel partners in the form of internal sales information.

“[This] includes certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors,” said Mestrovich.

“The third-party firm has also confirmed that no sensitive personal data such as social security numbers, financial account numbers, or payment card numbers were exposed.”

Mestrovich added that the investigation has found no evidence that its attacker was able to conduct any lateral movement to other environments. He said that the non-production environment was taken offline immediately, and Rubrik’s own systems and solutions used to contain the threat and restore the environment to full working order.

“As a cyber security company, the security of customer data we maintain is our highest priority. If we learn additional, relevant information we will update this post,” said Mestrovich.

“We sincerely regret any concern this may cause you, and as always, we appreciate your continued partnership and look forward to our ongoing work together.”

In an emailed statement shared with Computer Weekly’s sister title TechTarget Security, Fortra said it had taken multiple steps to address the vulnerability, including taking GoAnywhere offline temporarily, notifying affected customers, and sharing mitigation guidance.

The vulnerability was also added to the United States’ Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities catalogue, which means agencies of the US federal government are obliged to patch it by a certain date.

That it has appeared on CISA’s radar means the vulnerability is considered exceptionally dangerous, so users of Fortra GoAnywhere should prioritise remedial action.

Read more about Clop ransomware

Read more on Data breach incident management and recovery

Data Center
Data Management