Millions of people, hundreds of enterprises, U.S. government agencies and universities are current victims of a hacking campaign by the Russia-linked ransomware group known as Cl0P. A flaw in the widely used MOVEit file transfer tools is being used in the attack. It has been reported that the group is only stealing information that is specifically being stored on the file-transfer application at the precise time that the intrusion occurred, and not gaining broader access. 

CISA has published an advisory and is helping several federal agencies who have been hacked.

Urgent action is necessary: patches are available 

Organizations should respond quickly to find and remediate affected systems. Progress Software, producer of the MOVEit product, has published two patches. They are described at https://www.progress.com/security/MOVEit-transfer-and-MOVEit-cloud-vulnerability. 

How does BigFix help to address this threat now?  

The HCL BigFix Critical Emergency Response Team (CERT) is responding quickly to this zero-day vulnerability. They are helping users identify where MOVEit exists in their organization, and more importantly, where affected versions of MOVEit exists. 

1. For organizations with the BigFix CISA Known Exploited Vulnerabilities Content Pack, the audit fixlet is now available. 

2. Due to the criticality of this threat, the BigFix Team has also added the audit fixlet to the Updates For Windows Applications content site. 

3. Lastly, a software signature is being created for licensed users of BigFix Inventory to identify all instances of the MOVEit tool. 

Recommended Actions 

1. Organizations should quickly identify the endpoints that require remediation using the provided fixlet. 

2. Quarantine affected systems and remediate them manually. 

The global BigFix community is working together to address this threat and is actively collaborating through the BigFix blog forum.  Note: US Federal customers should not disclose identifiable information on any commercial forum.  

Every day, BigFix helps organizations address vulnerabilities quickly. 

BigFix is used to provide deeper insights into vulnerabilities and threats. BigFix provides effective methods to immediately identify and detect systems that may be vulnerable, continually analyzes your systems to identify any newly affected systems, provides historical reporting on software installations and removals to help determine the window of exposure, can validate security policies that identify whether and when specific security controls were modified or disabled by an attacker and can deploy operating systems or image systems to rapidly recover your systems. 

For more information, contact our team at info@hclfederal.com