Cybersecurity company Rubrik has confirmed that it suffered a data theft when a 0-day vulnerability in the Fortra GoAnywhere secure file transfer platform was exploited in one of their non-production environments. The attackers did not move laterally throughout the environment. As this attack was contained in their non-production environment, the company claims that no customer data was impacted. Rubrik’s CISO disclosed that this breach was a part of a large-scale attack against GoAnywhere MFT devices worldwide.
Rubrik is a cloud data management company that offers enterprise data backup and recovery services, as well as disaster recovery solutions. The GoAnywhere application allows companies to securely transfer encrypted files with their partners while keeping detailed audit logs of who accessed the files. The Clop ransomware gang has claimed responsibility for this attack, stating that they have breached a total of 130 organizations over a 10-day period using this vulnerability. Fortra disclosed this vulnerability and released a patch in February. These attacks occurred prior to the disclosure.
While typically it is recommended to maintain good threat intelligence and an adequate patching schedule, neither of these recommendations would apply in this case as this vulnerability was exploited as a 0-day prior to the patch that was released in February. The best defense against 0-day vulnerabilities is to employ a defense-in-depth strategy. While it won’t stop the 0-day, employing this strategy makes it much more likely to detect the attack at an earlier step of the attack chain, which could stop the attack in its tracks before any data can be exfiltrated.