Hackers used Fortra zero-day to steal sales data from cloud management giant Rubrik

Cloud data management giant Rubrik confirmed that hackers attacked the company using a vulnerability in a popular file transfer tool.

The Clop ransomware group — which has been the primary force behind the exploitation of a vulnerability affecting Fortra’s GoAnywhere Managed File Transfer product — added Rubrik to its list of victims on Tuesday.

A spokesperson for the company told The Record that based on an investigation being carried out by a third party, the hackers did not access any data Rubrik secures on behalf of its customers.

The spokesperson directed The Record to a longer statement from Rubrik CISO Michael Mestrovich, which said Clop’s attack began in February.

#Cl0p has listed #Rubrik. #ransomware pic.twitter.com/yeLL3jS4Kn

— Brett Callow (@BrettCallow) March 14, 2023

Using the widely-covered zero-day vulnerability affecting GoAnywhere, the hackers gained access to information in one of Rubrik’s non-production IT testing environments.

“The current investigation has determined there was no lateral movement to other environments,” Mestrovich said. “Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment.”

The data impacted by the incident is mostly internal sales information, including customer and partner names, business contacts, and a “limited number” of purchase orders from distributors, he said.

The third party security firm investigating the incident said there was no sensitive personal data such as Social Security numbers, financial account numbers, or payment card numbers exposed in the servers accessed.

Mestrovich noted that more than 100 organizations are being actively exploited through the GoAnywhere vulnerability.

Dozens of victims

Fortra said last month that it is working with customers and the Cybersecurity and Infrastructure Security Agency (CISA) on a response to the spate of ransomware attacks targeting the zero-day, which is tracked as CVE-2023-0669.

The company has faced significant backlash for being tight-lipped about the attacks on GoAnywhere – which is used by dozens of major companies and schools, including the University of Cincinnati, Think Mutual Bank, Nemours, University of Cincinnati and many local government offices.

One of the largest health providers in the U.S. filed documents with the SEC confirming that the sensitive data of more than one million people had been stolen following a breach that involved the compromise of its GoAnywhere system.

That filing came after the Clop ransomware group told BleepingComputer that it hacked into more than 130 organizations through the GoAnywhere vulnerability.

Last week, Hatch Bank said hackers used the Fortra bug to steal 140,000 customer Social Security numbers.

CISA added the bug to its list of exploited vulnerabilities and gave civilian federal agencies until March 3 to patch the issue.

Fortra spent weeks only publishing private advisories about the issues in its customer portal but eventually told The Record that they first were made aware of attacks on GoAnywhere on January 30.

Since then, the Clop ransomware group has continued to post victims on its leak site.

File sharing platforms like GoAnywhere MFT are prime targets for nation-states and criminal hackers due to the data they might contain and their wide deployment across organizations.

Vulnerabilities affecting another file transfer provider, Accellion, were used repeatedly to target financial institutions, government agencies, universities and corporations.

The Clop ransomware gang was one of the groups that exploited the Accellion vulnerability, attacking several high profile victims that included U.S. retail store chain Kroger, Morgan Stanley, Shell and airplane maker Bombardier..