MOVEit Transfer — Cl0p mass exploitation

What happened

On 31 May 2023 Progress Software published a security advisory for a critical SQL-injection vulnerability in MOVEit Transfer, its managed file-transfer product. The advisory disclosed CVE-2023-34362 and released a patch. Within hours of publication it became clear that the disclosure was reactive rather than proactive: Cl0p had been actively exploiting the vulnerability against internet-exposed MOVEit instances for at least several days before the patch was available.

MOVEit Transfer is used across enterprise and government to exchange sensitive data with external partners. Payroll providers use it to deliver payroll files to client organisations. Pension administrators use it to exchange member data. Government agencies use it for regulated data transfer. The product’s widespread deployment in high-value data environments made it an extraordinarily efficient target for a mass-exploitation campaign: each compromised server contained the sensitive data of not just the operator but all of that operator’s data-exchange partners.

Cl0p’s operation did not use ransomware. There was no encryption, no operational disruption, and no ransom demand at the moment of compromise. The group ran automated scripts that exploited the SQL-injection flaw to install a web shell (later named “LEMURLOOT” by Mandiant researchers), used the shell to enumerate and download data, then removed it to reduce forensic visibility. Victims typically had no indication anything had happened.

Over the weeks and months following disclosure, the breadth of the campaign became clear. Emsisoft’s running tracker counted more than 2,700 affected organisations and over 93 million individuals affected by mid-2024. UK victims included BBC, British Airways, Boots, Aer Lingus, and Ofcom — all compromised through their shared use of Zellis, a UK payroll software provider whose MOVEit instance was hit. US federal victims included the Department of Energy, Department of Agriculture, and Department of Health and Human Services. The New York City Department of Education had data on 45,000 students exposed. Multiple state pension systems across the US were affected.

How it worked

CVE-2023-34362 was an unauthenticated SQL injection vulnerability in the web-facing component of MOVEit Transfer. SQL injection flaws allow an attacker to insert database commands into input fields that the application passes to its backend database without adequate validation — in this case, enabling file enumeration and download without authentication. The vulnerability affected all supported versions of MOVEit Transfer and MOVEit Cloud.

Cl0p’s exploitation process was highly automated. The group had developed a working exploit — likely through prior research into the MOVEit codebase — before any patch existed. They ran scanning and exploitation at scale across all internet-exposed MOVEit instances discoverable through services such as Shodan. Exploitation involved sending crafted SQL commands to the web application, which returned data from the backend database and allowed the attacker to interact with the file storage accessible through the application.

The LEMURLOOT web shell installed on compromised servers was written in ASP.NET and designed to blend with MOVEit’s own web application framework. It accepted commands authenticated with a hardcoded password, allowing the attackers to interact with the file system, enumerate MOVEit’s stored transfers, and exfiltrate file contents over HTTPS — indistinguishable in network logs from normal MOVEit traffic. The shell was deleted after use in many cases, complicating forensic determination of which data was accessed.

The attack is classified as a zero-day exploit campaign: Cl0p had working exploit code before any patch was available, and the bulk of the campaign’s data collection happened during the window between exploitation and disclosure. Progress Software’s investigation found evidence suggesting the exploit had been tested in prior years against early MOVEit versions, indicating the group had been researching the product for some time.

Timeline

• Likely late 2021–early 2023 — Cl0p researches and develops exploit code for MOVEit Transfer SQL-injection vulnerability; testing activity detected retrospectively in some MOVEit logs.
• Mid-May 2023 — Active exploitation begins against internet-exposed MOVEit Transfer instances; LEMURLOOT web shells installed, data exfiltrated at scale.
• 31 May 2023 — Progress Software discloses CVE-2023-34362 and releases patch. CISA and NCSC publish advisories.
• June 2023 — Cl0p begins naming victims on its leak site and issuing ransom demands. UK victims including BBC, British Airways, and Boots publicly confirmed via Zellis compromise.
• June–July 2023 — US federal agencies confirmed affected. CISA advisory updated. DOE, USDA, HHS among disclosed victims.
• Ongoing through 2024 — Victim count climbs past 2,700 organisations; litigation filed across multiple jurisdictions. Progress Software faces class-action suits.

What defenders should learn

The core technical lesson is patch-cycle timing. The MOVEit vulnerability was a zero-day — no patch existed during the active exploitation window, so there was nothing organisations could have done about the vulnerability itself before the fact. But the lesson is not that there was nothing to be done. Any internet-exposed application that handles sensitive data should be monitored for exploitation indicators in real time, not just patched reactively. LEMURLOOT left artifacts in MOVEit’s transaction logs; organisations with active monitoring of file-transfer activity against behavioural baselines could have detected unusual enumeration and exfiltration patterns before the public disclosure.

Network segmentation and egress filtering on MOVEit servers would have limited the data volume exfiltrated. A managed file-transfer server has a defined set of legitimate external counterparties and a defined set of data it should exchange with each. Outbound connections to unrecognised destinations are anomalous and should be blocked or alerted. Organisations that had strict egress controls on their MOVEit deployments may have limited what Cl0p was able to remove even if the web shell was installed.

The cascading third-party exposure is the campaign’s most important systemic lesson. The majority of the named UK victims — BBC, British Airways, Boots, Aer Lingus — were not themselves MOVEit operators. They were customers of Zellis, a payroll provider that was. The breach of one supplier’s MOVEit instance produced disclosures across Zellis’s entire UK customer base. Organisations that hold third-party data through service relationships — payroll, benefits, pensions, HR administration — need to include their suppliers’ file-transfer infrastructure in their third-party risk assessments and contractual security requirements, not just their suppliers’ primary applications. A supplier’s MOVEit server is part of the organisation’s attack surface whether the organisation knows it or not.

The absence of operational disruption in Cl0p’s campaign deserves attention as a threat model update. Conventional ransomware produces loud signals: encrypted files, ransom notes, and operational paralysis. The MOVEit campaign produced none of these — victims had no indication anything unusual had happened until Cl0p began publishing data and issuing demands weeks later. A data-theft-only extortion model, executed as a quiet background process against widely-deployed enterprise software, is both harder to detect and produces a different class of harm: regulatory exposure, litigation, reputational damage, and individual privacy harm that extends years beyond the event. Defenders who focus exclusively on operational disruption as the signal for a breach will miss this category of attack entirely.