Security giant Rubrik says hackers used Fortra zero-day to steal internal data

Silicon Valley–based data security company Rubrik has come forward as the latest victim of the Fortra GoAnywhere zero-day vulnerability, which has been linked to hacks targeting a hospital chain and a bank.

In a blog post published on Tuesday, Rubrik's chief information security officer Michael Mestrovich said that attackers had gained access to the company’s nonproduction IT testing environments as a result of the flaw in Fortra’s GoAnywhere file-transfer software, which Rubrik uses for sharing internal data.

This vulnerability, tracked as CVE-2023-0669, first came to light on February 2 after security journalist Brian Krebs publicly shared details of Fortra’s paywalled security advisory. Fortra released a patch for the actively exploited flaw five days later on February 7.

Mestrovich said that since learning of the flaw last month, Rubrik conducted a “comprehensive review” of the affected data with an unnamed third-party firm, which found that the data accessed mainly consists of Rubrik internal sales information, including "certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors."

“The third-party firm has also confirmed that no sensitive personal data such as Social Security numbers, financial account numbers, or payment card numbers were exposed,” Mestrovich said.

Rubrik provides enterprise data management and backup services across on-premise, cloud and hybrid networks.

In a statement, Rubrik spokesperson Najah Simmons told TechCrunch that the “unauthorized access did not include any data we secure on behalf of our customers via any Rubrik products.” Simmons declined to answer any additional questions, such as whether Rubrik has received or been made aware of a demand for payment.

Rubrik’s confirmation comes just hours after a listing naming the company appeared on the dark web leak site of the Clop ransomware gang. Samples of stolen data published by Clop, and seen by TechCrunch, align with Rubrik’s statement that it comprised mostly corporate information.

The Russia-linked Clop gang claims to have exploited the zero-day flaw to steal data from more than 130 organizations — including Hatch Bank and Community Health Systems, which last week confirmed in a filing with the Maine attorney general's office that the hackers accessed medical billing and insurance information, diagnostic and medications data, and Social Security numbers.

Back in 2019, Rubrik suffered a security lapse that exposed a massive database of customer information. An exposed server that wasn't protected with a password left tens of gigabytes of data, including customer names, contact information and casework for each corporate customer, accessible to anyone who knew the IP address of the server.