MOVEit Transfer Exploited by CLOP Ransomware — June 7, 2023

Executive briefing: On 7 June 2023 CISA and the FBI issued Cybersecurity Advisory AA23-158A describing how CL0P ransomware actors exploited Progress MOVEit Transfer vulnerabilities to steal sensitive data. The alert followed widespread breaches of public- and private-sector organizations.

Attack chain

• Zero-day SQL injection. Threat actors weaponized CVE-2023-34362 and related flaws to execute remote commands on MOVEit Transfer servers.
• Data exfiltration. Compromised servers were used to create new admin accounts, deploy web shells, and exfiltrate database contents to attacker-controlled infrastructure.
• Extortion. Victims faced double-extortion tactics, with stolen data posted on CL0P leak sites if ransom demands were not met.

Mitigation guidance

• Apply vendor patches or disconnect vulnerable MOVEit Transfer instances until updates are verified.
• Search for indicators of compromise including unexpected files in the MOVEit\wwwroot directory, unauthorized accounts, and anomalous outbound traffic.
• Implement network segmentation and application allowlisting to restrict access to managed file transfer systems.

Program considerations

• Third-party risk. Managed service providers and contractors operating MOVEit must notify customers and coordinate remediation to meet contractual obligations.
• Regulatory reporting. Data exfiltration may trigger state breach notification laws, SEC disclosure expectations, and sector-specific mandates.
• Lessons for future zero-days. The advisory reinforces the need for rapid patch management, exploit detection, and resilience planning for secure file transfer solutions.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 40/100 · May 31, 2023

Cybersecurity Briefing — MOVEit Transfer zero-day exploited at scale

Progress Software disclosed CVE-2023-34362 on 31 May 2023 after mass exploitation of a SQL injection in MOVEit Transfer that allowed unauthenticated data exfiltration, prompting emergency patches and mandatory…

Cybersecurity · Credibility 90/100 · November 17, 2023

NIST Issues SP 800-171 Rev. 3 Final Public Draft — November 17, 2023

The draft updates controlled unclassified information protections with supply chain, logging, and continuous monitoring requirements.

Cybersecurity · Credibility 91/100 · May 10, 2024

CISA, FBI, and HHS Warn of Black Basta Ransomware Surge — May 10, 2024

U.S. cyber agencies detailed Black Basta’s tactics and urged critical infrastructure operators to harden remote access and backups.

Cybersecurity · Credibility 40/100 · July 2, 2021

Cybersecurity Briefing — Kaseya VSA supply-chain ransomware attack

On 2 July 2021 REvil exploited zero-days in Kaseya VSA to push ransomware to managed service providers and downstream clients, prompting emergency patching and incident response guidance from CISA and FBI.

Cybersecurity · Credibility 40/100 · January 29, 2020

Cybersecurity Briefing — January 29, 2020

ENISA published its 2019 Threat Landscape report highlighting top attack vectors like phishing, ransomware, and supply-chain compromises with recommendations for operators and policymakers.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.