In this article, we’ll look at the reasons behind the GoAnywhere zero-day exploit targeting data security firm Rubrik and its far-reaching implications for the cybersecurity industry.
We’ll also discuss the Cl0p ransomware group’s ongoing threats to organizations and the importance of addressing the GoAnywhere vulnerability.
Key takeaways:
Recently, Rubrik, a renowned cloud data management and data security firm, confirmed that it had been targeted in an attack exploiting the GoAnywhere zero-day vulnerability.
This confirmation came after the Cl0p ransomware group named Rubrik on its leak website.
On February 1, Fortra, formerly known as HelpSystems, warned its GoAnywhere managed file transfer (MFT) software users about a zero-day remote code injection exploit.
Approximately a week later, Fortra released a patch for the vulnerability, identified as CVE-2023-0669.
The Cl0p (Clop) ransomware group was soon linked to the attacks, which aimed to extort victims by accessing GoAnywhere customers’ information.
According to representatives from the ransomware gang, more than 130 organizations were affected by the GoAnywhere zero-day exploit.
However, only a few victims have come forward, including California-based digital bank Hatch Bank and healthcare provider Community Health Systems.
Following its identification by the Cl0p ransomware group on their Tor-based leak website, Rubrik confirmed that it had been hacked.
Rubrik’s CISO, Michael Mestrovich, stated that unauthorized access to a limited amount of information in a non-production IT testing environment had been detected.
A thorough investigation, aided by external experts, found no evidence of compromised data secured on behalf of customers or lateral movement to other systems.
The primary data affected in Rubrik’s case consisted of the company’s internal sales details, such as the names of clients and partner organizations, business contact data, and a small number of purchase orders from Rubrik’s distributors.
A third-party firm also confirmed that no sensitive personal data had been exposed.
For Hatch Bank, around 140,000 clients’ data was breached, leading to class action legal cases. Community Health Systems, a major US healthcare provider, believes that up to one million patients might have been impacted.
The Cl0p collective included Hatch Bank on its leak site, along with Rubrik. The extent to which additional organizations featured on their website have been targeted through the GoAnywhere assault remains uncertain.
For both Hatch Bank and Rubrik, the cybercriminals published several screenshots showcasing the data they obtained and threatened to leak more data unless their demands were met.
Rubrik, a Silicon Valley data security company, disclosed that a network intrusion was made possible by the zero-day vulnerability in GoAnywhere, a product it utilized.
Following an investigation, Rubrik CISO Michael Mestrovich stated that the intruders had accessed mainly internal sales information.
The investigation, assisted by an unidentified external firm, determined that confidential details like Social Security numbers, financial account numbers, or credit card information were not revealed.
Some key details remain undisclosed, such as when the breach occurred and whether Rubrik patched the vulnerability.
Lacking this data, it’s impossible to ascertain whether the vulnerability was a zero-day during the attack on Rubrik or if the breach stemmed from Rubrik’s inability to apply an accessible patch or implement other risk reduction steps promptly.
Rubrik representatives have yet to respond to inquiries about the intrusion’s timing or their handling of the vulnerability.
This security flaw has become a lucrative tool for cybercriminals.
A fortnight after Fortra initially reported the vulnerability, Community Health Systems, a major US hospital chain, announced that hackers had leveraged CVE-2023-0669 in a breach, affecting the protected health information of a million patients.
Moreover, the Cl0p ransomware group asserted that they had infiltrated 130 organizations by exploiting the GoAnywhere vulnerability.
Security company Huntress’ research corroborated the indirect connection between malware utilized in intrusions exploiting CVE-2023-0669 and Cl0p.
The Cl0p ransomware group’s dark website alleged that they had infiltrated Rubrik, presenting nine screenshots as evidence, which seemed to display Rubrik’s proprietary data.
These images appeared to support Rubrik’s claim that the accessed data primarily consisted of internal sales details.
Additionally, Cl0p’s site asserted that they had hacked Hatch Bank, showcasing ten screenshots that appeared to validate the accusation.
Hatch Bank, catering to fintech firms, reported in late February that a security breach had exposed the names and Social Security numbers of about 140,000 clients.
The bank pinpointed a zero-day flaw in GoAnywhere as the root cause of the incident.
The ongoing threats posed by CVE-2023-0669 make it crucial for GoAnywhere users to investigate their exposure to this vulnerability and take appropriate action.
The consequences of failing to address the vulnerability can be severe, resulting in significant financial and reputational damage for affected organizations.
To protect against the continuing risk, it is essential for businesses and individuals to remain vigilant, prioritize cybersecurity, and implement robust measures to mitigate the impact of potential cyberattacks.