Cybersecurity company Rubrik data breach confirmation was done using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform. Rubrik, a cloud data management service, offers enterprise data backup and recovery services, as well as disaster recovery solutions.

Attack details

In a statement from Rubrik, Chief Information Security Officer (CISO) Michael Mestrovichon, discloses that they were victims of a large-scale attack. It was against GoAnywhere MFT devices worldwide using a zero-day vulnerability. GoAnywhere is a secure web file transfer solution. It allows companies to transfer encrypted files with their partners securely. All while keeping detailed audit logs of who accessed the files.

Rubrik says the breach was contained in a non-production IT testing environment, and no customer data was impacted.

“We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” reads the Rubrik statement.

“Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data. This data is relates to what they secure on behalf of customers via any Rubrik products.”

Mestrovichon also says that the threat actors did not spread laterally to the internal systems. The test environment was taken offline to prevent further intrusions.

Clop ransomware gang claims responsibility for Rubrik data breach

This disclosure comes after the Clop ransomware gang added Rubrik to their data leak site. It was sharing samples of stolen files and stating that the data would soon be publicly released. The screenshots are spreadsheets containing what appears to be internal Rubrik data. This data includes names, email addresses, and locations of employees.

The Clop ransomware gang claims responsibility for the Forta GoAnywhere attacks. They also told they breached 130 organizations to steal data over ten days. The attacks came to light earlier this year. With Fortra disclosing in February that the vulnerability was being actively exploited and releasing a patch.

Victims of the Rubrik data breach attack

Last week, the Clop ransomware gang began emailing extortion demands to victims as they added them to their data leak site on Friday to apply leverage. One of the listed victims, Hatch Bank, already disclosed a data breach from the attacks, stating that the attackers stole customers’ names and social security numbers. Another victim, Community Health Systems (CHS), also disclosed that they were breached through the GoAnywhere vulnerability but are not listed on Clop’s site.

Rubrik advises all customers to ensure that their GoAnywhere instances are updated to the latest version and to monitor their environments for suspicious activity. They also recommend regularly testing their incident response plans to ensure they are up-to-date and effective.