On May 31, 2023, Progress Software disclosed CVE-2023-34362, a critical SQL injection vulnerability in MOVEit Transfer - their managed file transfer (MFT) solution used by thousands of organizations globally. What started as a targeted attack quickly escalated into one of the year's most significant supply chain incidents.
The Attack Timeline
The Cl0p ransomware gang began exploiting this zero-day vulnerability weeks before public disclosure. They moved fast, compromising organizations and exfiltrating data before most security teams even knew the vulnerability existed.
Early May: Initial exploitation begins May 27-28: First victims notice suspicious activity May 31: Progress Software releases emergency patch June 5: Mass exploitation confirmed, hundreds of organizations affected
Technical Details
CVE-2023-34362 is a SQL injection vulnerability in MOVEit Transfer's web interface. Attackers could:
- Execute arbitrary SQL commands
- Bypass authentication entirely
- Access and download database contents
- Create backdoor accounts for persistent access
- Exfiltrate sensitive files stored in MOVEit
CVSS Score: 9.8 (Critical)
The vulnerability existed in multiple versions:
- MOVEit Transfer 2023.0.0 before 2023.0.1
- MOVEit Transfer 2022.0.0 before 2022.0.2
- MOVEit Transfer 2021.0.0 before 2021.0.6
The Cl0p Connection
The Cl0p (also written as "Clop") ransomware gang has a history of targeting file transfer solutions. They previously exploited vulnerabilities in Accellion FTA and GoAnywhere MFT. Their MOVEit campaign followed a familiar pattern:
- Exploit vulnerability to gain access
- Deploy custom web shells for persistence
- Exfiltrate sensitive data
- Demand ransom under threat of public data leak
- List non-paying victims on their leak site
Unlike traditional ransomware that encrypts files, Cl0p focused purely on data theft - a tactic known as "extortion without encryption."
Who Was Affected
The victim list reads like a who's who of major organizations:
- Government agencies across multiple countries
- Major universities and educational institutions
- Healthcare providers and hospital systems
- Financial services firms
- Law firms handling sensitive client data
- Fortune 500 companies
The ripple effects extended beyond direct MOVEit users. Because many managed service providers (MSPs) used MOVEit, their clients were also exposed even if they never used the software themselves.
Immediate Response Steps
If your organization uses MOVEit Transfer:
1. Check Your Version Log into MOVEit and verify which version you're running. If you're on an affected version, assume compromise until proven otherwise.
2. Apply Patches Immediately Download and install the latest security patches from Progress Software. This should be your absolute top priority.
3. Hunt for Web Shells Cl0p deployed web shells named with patterns like "human2.aspx" or "lemurloot.aspx". Check your MOVEit wwwroot directory for unauthorized files.
4. Review Access Logs Look for suspicious authentication, especially successful logins from unfamiliar IPs or accounts you don't recognize.
5. Reset Credentials Change passwords for all MOVEit accounts, especially administrative accounts.
6. Network Segmentation Isolate your MOVEit instance from other systems while you investigate.
Long-term Implications
This incident reinforces several hard truths about modern cybersecurity:
Supply Chain Risk is Real Your security is only as strong as your vendors' security. Even if you do everything right, a vulnerability in third-party software can expose your data.
MFT is a Prime Target File transfer solutions are goldmines for attackers because they handle sensitive data by design. They're also often internet-facing, making them accessible targets.
Time to Patch is Critical Organizations that patched within 24-48 hours of disclosure largely avoided compromise. Those who waited became victims.
Detection is Hard Many organizations only discovered they were compromised after Cl0p added them to their leak site. Traditional security tools missed the initial intrusion.
Strengthening MFT Security
Beyond patching, consider these hardening steps:
- Enable multi-factor authentication for all users
- Implement IP allowlisting where possible
- Deploy web application firewalls (WAF)
- Enable comprehensive logging and monitoring
- Conduct regular security audits of file transfer infrastructure
- Have an incident response plan specifically for data exfiltration scenarios
- Consider network segmentation so compromised MFT systems can't access everything
The Bigger Picture
MOVEit wasn't Cl0p's first target and probably won't be their last. The gang has shown a clear pattern of targeting file transfer solutions, and they're likely already looking for the next zero-day.
Organizations need to shift from reactive patching to proactive security:
- Assume vulnerabilities exist in all software
- Monitor for anomalous behavior, not just known threats
- Segment networks to limit blast radius
- Have offline backups that ransomware can't touch
- Test incident response procedures regularly
Resources and Support
Progress Software maintains an updated advisory at their security portal. CISA has also published guidance for organizations affected by this incident.
If your organization was impacted, consider engaging a qualified incident response firm to help with forensics and recovery. The sooner you act, the better your options for limiting damage.
This incident serves as a wake-up call for anyone managing file transfer infrastructure or relying on third-party solutions for sensitive data handling. The attackers aren't slowing down - our defenses need to keep pace.