Cyber Incident Victim: Pluralsight

On March 23, 2023, the Cl0p ransomware group listed American education company Pluralsight as a victim of its large-scale cyberattack campaign exploiting a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) platform. This incident formed part of a broader Cl0p spree involving over 130 organizations, including major entities like Virgin Red, Munich Re, Procter & Gamble, and Stanford University. The threat actors publicly disclosed victim names on their dark-web blog, claiming unauthorized access through the GoAnywhere flaw. Pluralsight confirmed the security incident but emphasized its core products and infrastructure remained unaffected. The company identified the breach vector as its use of GoAnywhere, which Fortra—the platform’s developer—had notified them about. Upon receiving this alert, Pluralsight immediately discontinued the product’s use and initiated notifications to customers whose data faced potential exposure.

Cl0p’s exploitation of the GoAnywhere vulnerability allowed exfiltration of files from Pluralsight’s environment, though the company downplayed the operational impact and data sensitivity. Pluralsight asserted no personal data related to customers or employees was compromised, mirroring responses from other affected organizations like Virgin Red and Munich Re, which described stolen data as “meaningless content” or test files. No ransomware deployment or system disruptions were reported. Pluralsight’s containment actions focused on severing ties with GoAnywhere and communicating risks to stakeholders. The broader incident revealed Cl0p’s resurgence following a 2021 operational pause after law enforcement actions against its affiliates. The gang’s March campaign leveraged the zero-day exploit aggressively, though multiple victims disputed the strategic value of exfiltrated data, suggesting possible discrepancies between Cl0p’s claims and confirmed impacts.