Menu
Browse

Cyber Incident Victim: Rubrik

Date:

Feb 2023

Location:

United States of America

Summary

Rubrik confirmed data theft by the Clop ransomware gang exploiting a zero-day vulnerability in Fortra's GoAnywhere MFT platform, resulting in unauthorized access to internal employee information including names and email addresses. The breach was contained within a non-production testing environment, with no lateral movement detected and no compromise of customer data secured through its products. Following the incident, Clop publicly listed the organization on its leak site, shared stolen data samples, and issued extortion threats, mirroring attacks on other entities like Hatch Bank and Community Health Systems which experienced customer data exposure.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actor Type Location
1 actor Available to members Available to members

Description

In early February 2023, Fortra disclosed active exploitation of a zero-day vulnerability in its GoAnywhere Managed File Transfer (MFT) platform, a secure web-based solution for encrypted file transfers and audit logging. Cybersecurity firm Rubrik, which provides cloud data management and backup services, subsequently confirmed unauthorized access to its systems via this vulnerability. The breach occurred in a non-production IT testing environment, with Rubrik detecting the intrusion through monitoring of the affected systems. According to Rubrik CISO Michael Mestrovichon, threat actors exploited the GoAnywhere flaw as part of a broader campaign targeting multiple organizations globally. The company contained the incident by taking the compromised test environment offline, preventing lateral movement to internal production systems or customer data repositories. Third-party forensic experts assisted in investigating the breach, which Rubrik stated did not impact any customer data secured through its products.

Cyber Incident Image

The Clop ransomware gang claimed responsibility for the attack, adding Rubrik to its data leak site in March 2023 and publishing samples of stolen internal documents. These samples included spreadsheets containing employee information such as names, email addresses, and geographic locations. Clop representatives told BleepingComputer they had compromised 130 organizations over ten days using the GoAnywhere vulnerability, leveraging stolen data for extortion by threatening public release. Rubrik’s breach occurred amid this wider campaign, with Clop initiating direct extortion emails to victims shortly before listing them on the leak site. Other affected organizations included Hatch Bank, which confirmed theft of customer names and Social Security numbers, and Community Health Systems (CHS), which disclosed a breach through the same vulnerability though it was not listed on Clop’s site. Rubrik maintained that the incident remained isolated to non-customer-facing systems, with no evidence of operational disruption or compromise of services provided to clients.

Sources
Sources available to members
1 source