The list of victims compromised through exploits of a vulnerability in the file transfer platform continues to grow, with data security vendor Rubrik becoming the latest to acknowledge a data breach.
Fortra, which changed its name from HelpSystems in November, offers GoAnywhere as a secure managed file transfer (MFT) product that “streamlines the exchange of data between systems, employees, customers and trading partners,” according to the company.
CRN has reached out to Fortra for comment.
What follows are five key things to know about the Fortra GoAnywhere attacks.
Vulnerability And Patch
In early February, Fortra informed customers that it had identified an actively exploited zero-day vulnerability in GoAnywhere, which could be used to remotely execute code on vulnerable systems. The Fortra advisory was first reported by journalist Brian Krebs.
On Feb. 7, Fortra released a patch for the GoAnywhere vulnerability as part of version 7.1.2. The vulnerability, which is being tracked at CVE-2023-0669, consists of a “pre-authentication command injection vulnerability in the License Response Servlet” in the GoAnywhere MFT, according to the National Vulnerability Database posting.
Exploits By Cybercrime Group
BleepingComputer reported on Feb. 10 that the Clop cybercrime gang said it was responsible for numerous attacks exploiting the GoAnywhere vulnerability.
The cybercriminal group claimed that it had stolen data from more than 130 victim organizations during a 10-day period.
On Saturday, BleepingComputer reported that the group had begun extorting victims of the GoAnywhere attacks through adding the names of alleged victims to its data leak website.
Community Health Systems Breach
Health-care provider Community Health Systems disclosed in a U.S. Securities and Exchange Commission filing on Feb. 13 that it had suffered a data breach in connection with the GoAnywhere vulnerability.
Community Health Systems said that it was believed that “approximately one million individuals may have been affected by this attack.”
It’s believed that the breach “has not had any impact on any of the company’s information systems and that there has not been any material interruption of the company’s business operations, including the delivery of patient care,” the company said in the SEC filing.
Hatch Bank Breach
Digital banking provider Hatch Bank notified customers on Feb. 28 that it had experienced a breach, via the GoAnywhere vulnerability, that affected customer data in late January.
The data could include names and Social Security numbers of customers, and affects a total of 139,493 customers, Hatch Bank said in a disclosure posted by the Maine attorney general website.
“On February 3, 2023, Hatch Bank was notified by Fortra of the incident and learned that its files contained on Fortra’s GoAnywhere site were subject to unauthorized access,” the bank said in its customer notification. “Fortra’s investigation determined that there was unauthorized access to the site account from January 30, 2023, to January 31, 2023.”
On Tuesday, Rubrik CISO Michael Mestrovich disclosed in a post that the company has detected unauthorized access to “a limited amount of information” in a non-production IT testing environment in connection with the GoAnywhere vulnerability.
“Based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did not include any data we secure on behalf of our customers via any Rubrik products,” Mestrovich wrote.
The Rubrik data that was accessed “mainly consists of Rubrik internal sales information, which includes certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors,” he wrote. A third-party firm that Rubrik is working with “has also confirmed that no sensitive personal data such as Social Security numbers, financial account numbers, or payment card numbers were exposed,” Mestrovich said.
Notably, the investigation so far has found no evidence of lateral movement to Rubrik’s other environments. “Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment,” Mestrovich wrote in the post.
CRN has reached out to Rubrik for further comment.