Rubrik Discloses Hackers Stole Internal Data via Zero-Day Exploit

Rubrik, the zero trust data security company, has disclosed hackers stole some of its data, including internal sales information, using a zero-day vulnerability.

Michael Mestrovich, Rubrik’s CISO, confirmed the cyber incident in a blog. He said the unauthorized access via zero-day exploit didn’t include any data Rubrik secures on behalf of its customers.

Rubrik’s Michael Mestrovich

“In February of this year, one of our vendors, Fortra, the developers of the GoAnywhere Managed File Transfer, advised of a zero-day remote code execution vulnerability,” he said. “It has been reported that this vulnerability is being actively exploited across more than 100 organizations globally.”

According to Bleeping Computer, the Clop ransomware gang recently added Rubrik to their data leak site. They shared samples of stolen files. In addition, they said they will publicly release data soon.

GoAnywhere is a secure web file transfer solution. It allows companies to securely transfer encrypted files with their partners while keeping detailed audit logs of who accessed the files.

Data Stolen from Non-Production IT Testing Environment

Rubrik detected unauthorized access to a limited amount of information in one of its non-production IT testing environments.

“The current investigation has determined there was no lateral movement to other environments,” Mestrovich said. “Rubrik took the involved non-production environment offline, and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment.”

Third-party forensics experts are assisting Rubrik with its investigation into the incident.

“The involved data mainly consists of Rubrik internal sales information, which includes certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors,” Mestrovich said.

A third-party firm is assisting Rubrik in its review of the involved data. The firm confirmed no sensitive personal data was exposed, Mestrovich said. That includes Social Security numbers, financial account numbers or payment card numbers.

“As a cybersecurity company, the security of customer data we maintain is our highest priority,” Mestrovich said. “If we learn additional, relevant information we will update this post.”