Rubrik confirms data theft in GoAnywhere zero-day attack

Cybersecurity company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform.

Rubrik is a cloud data management service that offers enterprise data backup and recovery services and disaster recovery solutions.

In a statement from Rubrik CISO Michael Mestrovichon, the company disclosed that they were victims of a large-scale attack against GoAnywhere MFT devices worldwide using a zero-day vulnerability.

GoAnywhere is a secure web file transfer solution that allows companies to securely transfer encrypted files with their partners while keeping detailed audit logs of who accessed the files.

Rubrik says the breach was contained in a non-production IT testing environment, and no customer data was impacted.

“We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” reads the .

“Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”

Mestrovichon also says that the threat actors did not spread laterally to the internal systems and that the test environment was taken offline to prevent further intrusions.

This disclosure comes after the Clop ransomware gang added Rubrik to their data leak site, sharing samples of stolen files and stating that the data would soon be publicly released.

The screenshots shared by the threat actors are spreadsheets containing what appears to be internal Rubrik data, such as names, email addresses, and locations of employees.

Rubrik is listed on the Clop ransomware data leak site
Rubrik is listed on the Clop ransomware data leak site
Source: BleepingComputer

The  for the Forta GoAnywhere attacks, telling BleepingComputer that they breached 130 organizations to steal data over ten days.

The attacks occurred earlier this year, with  that the vulnerability was being actively exploited and .

Last week, the  to victims as they added them to their data leak site on Friday to apply leverage.

One of the listed victims, Hatch Bank, already disclosed a data breach from the attacks, stating that the attackers stole customers’ names and social security numbers.

Another victim, , also disclosed that they were breached through the GoAnywhere vulnerability but are not listed on Clop’s site.