MOVEit Transfer Mass Exploitation by Cl0p (CVE-2023-34362)

Executive Summary

Beginning on May 27, 2023, the Cl0p ransomware group launched a mass exploitation campaign against organizations running Progress Software’s MOVEit Transfer managed file transfer (MFT) application. The attack exploited CVE-2023-34362, a critical SQL injection zero-day vulnerability in the MOVEit Transfer web interface, to deploy web shells, access underlying databases, and exfiltrate sensitive data at scale. Cl0p had pre-positioned access and developed automated tooling to exploit internet-facing MOVEit instances simultaneously, executing what became the largest mass exploitation event of 2023.

The campaign compromised more than 2,500 organizations and exposed the personal data of over 60 million individuals worldwide. Victims spanned every sector, including multinational corporations such as Shell, BBC, British Airways, and Ernst & Young; US federal agencies including the Department of Energy; multiple US state government agencies; universities; healthcare providers; and financial institutions. Cl0p did not deploy ransomware or encrypt victim data. Instead, the group relied exclusively on data theft and extortion, threatening to publish stolen data on its leak site unless victims paid. Aggregate financial impact has been estimated at over $10 billion, accounting for breach notification costs, regulatory fines, legal settlements, remediation expenses, and reputational damage across the full victim population.

Technical Analysis

MOVEit Transfer is a managed file transfer product developed by Progress Software (formerly Ipswitch), widely deployed in enterprise and government environments for secure file exchange. The application provides a web-based interface for managing file transfers, user accounts, and system configuration. CVE-2023-34362 is a SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to the underlying database by submitting crafted SQL statements to the application’s API endpoints.

The exploitation chain began with the SQL injection vulnerability in the MOVEit Transfer web interface. By submitting specially crafted requests to the application’s API, attackers could manipulate database queries to extract data and escalate privileges. The SQL injection allowed the attackers to write a web shell — tracked by Mandiant as LEMURLOOT and typically deployed as human2.aspx — to the MOVEit Transfer web root. LEMURLOOT provided persistent remote access to the compromised server, accepting commands via HTTP requests authenticated with a hardcoded password. Through the web shell, Cl0p operators could enumerate the MOVEit Transfer database, identify high-value data stores, stage data for exfiltration, and extract it in bulk.

Cl0p’s tooling was highly automated. The group developed purpose-built scripts to scan for internet-facing MOVEit Transfer instances, exploit the SQL injection, deploy the web shell, and initiate data exfiltration — all with minimal manual intervention. This automation enabled simultaneous exploitation of hundreds of targets over the Memorial Day weekend, when many US organizations had reduced staffing.

Two additional SQL injection vulnerabilities — CVE-2023-35036 and CVE-2023-35708 — were discovered during the investigation and response to the initial zero-day. These follow-on CVEs affected the same MOVEit Transfer web interface and were patched in subsequent emergency releases. It remains unclear whether Cl0p was aware of or had exploited these additional vulnerabilities prior to their discovery by security researchers.

Microsoft tracks the Cl0p operators responsible for the MOVEit campaign under the designation Lace Tempest (formerly DEV-0950). Analysis of MOVEit Transfer logs revealed that Cl0p had been testing the exploit against a small number of targets as early as July 2021 and again in April 2022, indicating that the group had stockpiled the zero-day for nearly two years before deploying it at scale.

Attack Chain

Stage 1: Reconnaissance and Exploit Development

Cl0p identified the SQL injection vulnerability in MOVEit Transfer and developed a working exploit. Testing activity against a limited number of MOVEit Transfer instances was observed as early as July 2021, with additional testing in April 2022. The group built automated tooling to scan for internet-facing MOVEit Transfer instances and exploit the vulnerability at scale.

Stage 2: SQL Injection (CVE-2023-34362)

Beginning May 27, 2023, Cl0p deployed the exploit against internet-facing MOVEit Transfer instances globally. Crafted SQL statements submitted to the MOVEit Transfer web application’s API endpoints allowed unauthenticated access to the underlying database, bypassing application-level authentication and authorization controls.

Stage 3: Web Shell Deployment (LEMURLOOT)

The SQL injection was leveraged to write a web shell — LEMURLOOT (human2.aspx) — to the MOVEit Transfer web server’s document root. The web shell accepted commands via HTTP POST requests authenticated with a hardcoded password, providing persistent backdoor access to the compromised server independent of the SQL injection vulnerability.

Stage 4: Database Access and Data Staging

Through the LEMURLOOT web shell, Cl0p operators enumerated the MOVEit Transfer database schema, identified tables containing transferred files and associated metadata, and staged data for extraction. The web shell included functionality to query Azure Blob Storage settings where applicable, allowing access to files stored in cloud backends.

Stage 5: Data Exfiltration

Staged data was exfiltrated from compromised MOVEit Transfer instances to Cl0p-controlled infrastructure. The exfiltration was conducted in bulk, leveraging the web shell’s built-in download capabilities. Given the nature of MFT platforms, the stolen data frequently included highly sensitive files — financial records, healthcare data, personally identifiable information, and legal documents — that organizations had been exchanging through MOVEit Transfer.

Stage 6: Extortion (No Encryption)

Cl0p publicly claimed responsibility for the campaign on June 6, 2023, and began contacting victims directly on June 15. The group posted victim names to its dark web leak site and threatened to publish stolen data unless ransom payments were made. Notably, Cl0p did not deploy ransomware or encrypt any victim systems. The operation was purely data theft and extortion — a departure from the group’s historical ransomware operations and a signal of the broader trend toward encryption-less extortion.

MITRE ATT&CK Mapping

Resource Development

T1588.006 — Vulnerabilities: Cl0p discovered or acquired the MOVEit Transfer SQL injection vulnerability (CVE-2023-34362) and developed a working exploit. Testing activity dates back to July 2021, indicating the group stockpiled the zero-day for nearly two years before mass deployment.

Initial Access

T1190 — Exploit Public-Facing Application: Unauthenticated SQL injection against internet-facing MOVEit Transfer web application instances. The exploit targeted API endpoints accessible without authentication, allowing arbitrary database manipulation.

Execution

T1059.003 — Windows Command Shell: The LEMURLOOT web shell (human2.aspx) deployed to compromised MOVEit Transfer servers provided command execution capabilities via HTTP POST requests, enabling arbitrary command execution on the underlying Windows server.

Collection

T1005 — Data from Local System: Automated extraction of transferred files and metadata from MOVEit Transfer databases and associated file storage. The web shell included purpose-built functionality for enumerating and downloading stored files.

Exfiltration

T1567.002 — Exfiltration to Cloud Storage: Bulk exfiltration of stolen data from compromised MOVEit Transfer instances to attacker-controlled infrastructure. The volume of data exfiltrated across 2,500+ victims indicates highly automated, high-throughput exfiltration tooling.

Impact Assessment

Scale: More than 2,500 organizations confirmed compromised. Over 60 million individuals had personal data exposed, making this one of the largest data breaches by victim count in history.

Financial Impact: Aggregate impact across all victims is estimated to exceed $10 billion, encompassing breach notification and credit monitoring costs, regulatory fines, class action litigation, incident response and forensic investigation, system remediation, and reputational damage. IBM’s Cost of a Data Breach Report noted that MOVEit-related breaches were among the most expensive in the 2023-2024 reporting cycle.

Notable Victims:

• Energy: Shell (global energy company)
• Media: BBC (British Broadcasting Corporation)
• Aviation: British Airways
• Professional Services: Ernst & Young, PricewaterhouseCoopers, Deloitte
• Government (US Federal): Department of Energy, Office of Personnel Management, Department of Health and Human Services
• Government (US State): Louisiana Office of Motor Vehicles, Oregon Department of Transportation, Colorado Department of Health Care Policy and Financing, Missouri Department of Social Services
• Financial: 1st Source Bank, First National Bankers Bank
• Healthcare: Johns Hopkins University and Health System, BORN Ontario (3.4 million newborn records)
• Education: University of California, Los Angeles (UCLA), University of Rochester
• Technology: Sony, Siemens Energy

Regulatory Impact: The campaign triggered mandatory breach notifications across multiple jurisdictions and contributed to accelerated regulatory scrutiny of managed file transfer platforms and supply chain security. Multiple class action lawsuits were filed against Progress Software and affected organizations.

Timeline

2021-07 — Early Exploit Testing Observed

Forensic analysis of MOVEit Transfer logs revealed that Cl0p-associated actors tested the SQL injection exploit against a small number of MOVEit Transfer instances as early as July 2021. The activity was limited in scope and did not result in mass exploitation.

2022-04 — Additional Testing Activity

A second round of limited testing activity was observed in April 2022, suggesting Cl0p was refining the exploit and assessing target availability while continuing to stockpile the zero-day.

2023-05-27 — Mass Exploitation Begins

Cl0p launched the mass exploitation campaign over the US Memorial Day weekend. Automated tooling scanned for and exploited internet-facing MOVEit Transfer instances, deploying the LEMURLOOT web shell and initiating data exfiltration across hundreds of targets simultaneously.

2023-05-31 — Progress Software Discloses CVE-2023-34362

Progress Software published a security advisory disclosing CVE-2023-34362 and released a patch for MOVEit Transfer. The advisory urged all customers to apply the patch immediately and provided indicators of compromise for detecting existing breaches.

2023-06-01 — Mandiant Publishes Analysis

Mandiant published initial analysis of the zero-day exploitation campaign, attributing the activity to UNC4857 (later associated with Cl0p/Lace Tempest) and providing technical details on the LEMURLOOT web shell and exploitation methodology.

2023-06-06 — Cl0p Claims Responsibility

The Cl0p group posted a message on its dark web leak site claiming responsibility for the MOVEit Transfer exploitation campaign. The group stated it had stolen data from “hundreds of companies” and gave victims one week to initiate contact before data would be published.

2023-06-07 — CISA Issues Joint Advisory

CISA and the FBI published joint advisory AA23-158A providing detailed technical analysis, indicators of compromise, and mitigation guidance for the MOVEit Transfer vulnerability exploitation.

2023-06-09 — Progress Patches CVE-2023-35036

Progress Software disclosed and patched a second SQL injection vulnerability (CVE-2023-35036) discovered during the investigation of the original zero-day.

2023-06-15 — Extortion Campaign Begins

Cl0p began directly contacting victims and posting organization names on its leak site, initiating the extortion phase. The group published data from organizations that did not engage in negotiations.

2023-07-06 — Microsoft Publishes Lace Tempest Analysis

Microsoft published detailed analysis attributing the campaign to Lace Tempest (Cl0p’s operational arm), providing additional technical details on the intrusion methodology and pre-positioning activity dating back to 2021.

2023-07-07 — Progress Patches CVE-2023-35708

Progress Software disclosed and patched a third SQL injection vulnerability (CVE-2023-35708), the final follow-on CVE discovered during the investigation.

Remediation & Mitigation

Immediate Actions:

1. Apply Progress Software security patches for CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708 to all MOVEit Transfer and MOVEit Cloud instances immediately
2. Search for indicators of compromise, specifically the presence of human2.aspx or other unexpected .aspx files in the MOVEit Transfer web root directory
3. Review MOVEit Transfer audit logs for unauthorized access, unexpected file downloads, and anomalous API activity during and after the exploitation window
4. If compromise is confirmed, isolate affected MOVEit Transfer instances, preserve forensic evidence, and initiate incident response procedures

Detection and Forensics:

• Review IIS logs for HTTP POST requests to unexpected .aspx files in the MOVEit Transfer web directory
• Examine the MOVEit Transfer database for unauthorized accounts or privilege escalations
• Audit Azure Blob Storage access logs if MOVEit Transfer is configured with cloud storage backends
• Search for evidence of large-volume data downloads from the MOVEit Transfer application during the exploitation window (May 27 onward)

Longer-Term Mitigation:

• Restrict internet-facing exposure of MOVEit Transfer instances by placing them behind VPN or zero-trust network access controls
• Implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting MFT platforms
• Enable enhanced logging and monitoring on all managed file transfer platforms
• Conduct a review of all internet-facing MFT and file-sharing infrastructure to assess exposure
• Develop and test incident response playbooks specific to MFT platform compromise

CISA Guidance:

CISA advisory AA23-158A provides comprehensive detection signatures, YARA rules, and network indicators. Organizations should incorporate these into their security monitoring infrastructure and conduct retrospective hunts across the exploitation window.

Indicators of Compromise

File Indicators

• human2.aspx — LEMURLOOT web shell deployed to MOVEit Transfer web root (primary indicator)
• human2.aspx.lnk — shortcut file associated with web shell deployment
• _human2.aspx — variant web shell filename observed in some compromises
• SHA256 (LEMURLOOT variant): 2413b5d0750c23b07999ec33a5b4571cb4b2571b4e75afb5a2abdb6735a326c1
• SHA256 (LEMURLOOT variant): 110e301d3b5019177728010202c8096824b14cd31b2160914b4c4960d2bca8f2
• SHA256 (LEMURLOOT variant): b1c299a9fe6076f370178de7b5f04894e5fe3c8c93228c084d7675e76977e12f

Network Indicators

• Unexpected outbound connections from MOVEit Transfer servers to non-standard external IP addresses
• High-volume data transfers from MOVEit Transfer instances to unrecognized destinations
• HTTP POST requests to .aspx files not part of the standard MOVEit Transfer web application

Log Indicators

• IIS access logs showing requests to human2.aspx or other non-standard .aspx files
• MOVEit Transfer audit logs showing unauthorized file access or bulk downloads
• Database logs showing anomalous SQL query patterns or privilege escalation attempts
• Windows Event Logs showing creation of new .aspx files in the MOVEit Transfer web directory

Sources & References

1. CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability — CISA, 2023-06-07
2. Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft — Mandiant, 2023-06-02
3. MOVEit Transfer and MOVEit Cloud Vulnerability — Progress Software, 2023-05-31
4. Clop Ransomware Gang Starts Extorting MOVEit Data-Theft Victims — BleepingComputer, 2023-06-15
5. The Five-Day Job: A CrowdStrike Intrusion Analysis of Lace Tempest — Microsoft, 2023-07-06