Hitachi, Rubrik, Hatch Bank among those hit after file transfer software exploited
Attackers hit file transfer software to leapfrog into other systems
Hitachi Energy, the $10 billion-by-revenue energy arm of the Japanese conglomerate, says it suffered a data breach after a vulnerability in software from supplier Fortra GoAnywhere MFT was exploited by cybercriminals.
The managed file transfer (MFT) vulnerability, allocated CVE-2023-0669, was first disclosed on February 3 and has since been used to leapfrog into other corporate systems, with cloud backup specialist Rubrik also hit.
GoAnywhere MFT is a file transfer product that can be deployed in enterprise networks, as a hosted SaaS product, or on cloud platforms such as AWS. Fortra pushed a patch on February 7 after the 0day was exploited.
Hitachi Energy’s March 17 statement on the incident is an exercise in opacity that fails to explain what, precisely, happened or what was lost: “Our network operations or security of customer data have not been compromised. We will continue to update relevant parties as the investigation progresses” the company said.
But it also says it has “engaged forensic IT experts to help us analyze the nature and scope of the attack” and that the incident “could have resulted in an unauthorized access to employee data in some countries…”
GoAnywhere MFT breaches: Over 100 victims believed hit
Two other high-profile victims of GoAnywhere MFT service exploitation are Rubrik and Hatch Bank.
Rubrik, a rapidly growing disaster recovery and backup specialist, said on March 14: “We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” with CISO Michael Mestrovich (a former CIA CISO) adding: “The unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”
The current investigation has determined there was no lateral movement to other environments. Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment” Mestrovich added in a short blog.
The incident is just the latest reminder however of how challenging it is for CISOs to manage software supply chain risk and the importance of robust network segmentation to minimalism lateral movement by attackers; something both Hitachi Energy and Rubrik appear – from the limited visibility we have – to have handled well.
As first reported by TechCrunch, fintech Hatch Bank was also a victim, saying in notifications filed with Attorney General's offices that the GoAnywhere MFT vulnerability had been used to steal data of 139,493 customers.
Fortra’s GoAnywhere MFT software is the latest major file transfer software platform to be abused by hackers for downstream access. A high speed IBM file transfer platform, Aspera Faspex, has also been actively attacked by hackers who are exploiting a critical remote code execution vulnerability that requires no authentication to use, CISA warned in February. The IBM Aspera Faspex vulnerability being exploited, CVE-2022-47986, is due to a YAML deserialisation flaw and exploits an obsolete API call; it targets what Assetnote researcher Garrett described as “some specific code patterns that tend to be seen inside Ruby on Rails applications.”
The breach of file transfer software provider, Accellion in 2021 meanwhile saw sensitive data stolen from hundreds of blue chips, including Shell, Morgan Stanley, global law firm Goodwin Procter among others.