Cyber security focused Rubrik admits internal system attacked via Fortra zero-day

Cloud data management and security biz Rubrik has joined the list of companies forced to deal with an attack on its systems by criminals using a Fortra zero-day vulnerability.

Update: Rubrik reveals attack containment details. 20 March 2023.

Rubrik emphasized that the system accessed was a non-production IT testing environment and that it believed there was “no lateral movement to other environments.”

The company rebranded its products as the Rubrik Security Cloud (RSC) in May last year. The purpose was to add a security layer to and above backup and provide a zero-trust stance to protecting data against ransomware and other malware threats. Fortra, formerly known as HelpSystems, provides a GoAnywhere MFT (Managed File Transfer) offering said to be an audited and secure way to centralize, simplify and automate customer’s data movements. Rubrik is a Fortra customer, using it to transfer file data between itself and partners.

Michael Mestrovich

A Rubrik blog by Michael Mestrovich, VP and Chief Information Security Officer, said that in February: “Fortra … advised of a zero-day remote code execution vulnerability. It has been reported that this vulnerability is being actively exploited across more than 100 organizations globally.”

A zero-day vulnerability is a previously unknown way of gaining unauthorized entry to IT systems.

Fortra graphic

Other victims included Community Health Systems and the Hatch Bank.  

Rubrik said it “detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability.”

It took the compromised IT system offline to contain the threat and “help restore our test environment.” Fortra subsequently supplied a patch for the vulnerability.

Rubrik investigated the attack “with the assistance of third-party forensics experts” and found that “the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”

But it did involve: “Rubrik internal sales information, which includes certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors.” However, “The third-party firm has also confirmed that no sensitive personal data such as social security numbers, financial account numbers, or payment card numbers were exposed.”

According to several reports, the Clop ransomware group has since put what it claims is leaked Rubrik employee spreadsheet data on its website.

Mestrovich signed off his blog post by saying: “We sincerely regret any concern this may cause you, and as always, we appreciate your continued partnership and look forward to our ongoing work together.”

Attack containment details

In a March 20 note Mestrovich said forensic investigation had revealed that;

  1. The unauthorized access did NOT include data we secure on behalf of our customers via Rubrik products or services. In addition, there was no sensitive data stored in the impacted non-production, IT testing environment.
  2. There is no evidence of lateral movement to any other system in our network.
  3. The GoAnywhere software is not and was never used as any component in any of our products, or SaaS services or support environments we provide to our customers or partners.
  4. No evidence of additional malicious activity or compromise. 
  5. Sensitive data was not stored in the impacted, non-production, IT testing environment.