On Tuesday 25 March, it was revealed that cloud data management giant Rubrik had fallen victim to a cyber attack. Hackers reportedly used a vulnerability in a popular file transfer tool, Fortra's GoAnywhere Managed File Transfer product, to gain unauthorised access to Rubrik's systems. The attack was attributed to the Clop ransomware group, which has been exploiting the Fortra vulnerability in a string of attacks on various organisations.
The Clop ransomware group has become notorious for its use of the Fortra vulnerability, which it has used to successfully attack a number of organizations in recent months. The vulnerability is a zero-day flaw in the GoAnywhere Managed File Transfer product, meaning that it is unknown to the vendor and therefore not patched. The attackers are able to use the vulnerability to gain access to the targeted systems without detection.
The attack on Rubrik highlights the ongoing threat posed by cyber attacks to cloud service providers and their customers. As more organisations move their data and applications to the cloud, they become attractive targets for hackers who are looking to exploit vulnerabilities in these systems.
A spokesperson for the company told The Record that based on an investigation being carried out by a third party, the hackers did not access any data Rubrik secures on behalf of its customers.
Using the widely-covered zero-day vulnerability affecting GoAnywhere, the hackers gained access to information in one of Rubrik’s non-production IT testing environments.
“The current investigation has determined there was no lateral movement to other environments,” Mestrovich said. “Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment.”
The spokesperson directed The Record to a longer statement from Rubrik CISO Michael Mestrovich, which said Clop’s attack began in February.
Community Health Systems, Inc., one of the largest health providers in the U.S. filed documents with the SEC confirming that the sensitive data of more than one million people had been stolen following a breach that involved the compromise of its GoAnywhere system.
That filing came after the Clop ransomware group told BleepingComputer that it hacked into more than 130 organizations through the GoAnywhere vulnerability.
The Rubrik attack also highlights the need for organizations to be aware of the risks associated with third-party software and services. While these tools and services can be highly beneficial to organizations, they also introduce new vulnerabilities and risks that need to be managed. Organisations should perform due diligence on any third-party software or services they use, and ensure that appropriate security measures are in place.
The Clop ransomware gang was one of the groups that exploited the Accellion vulnerability, attacking several high profile victims that included U.S. retail store chain Kroger, Morgan Stanley, Shell and aero plane maker Bombardier.