MOVEit Transfer Exploited by CLOP Ransomware — June 7, 2023
CISA and FBI detailed mass exploitation of MOVEit Transfer SQL injection flaws enabling data theft across government and enterprise networks.
Executive briefing: On CISA and the FBI issued Cybersecurity Advisory AA23-158A describing how CL0P ransomware actors exploited Progress MOVEit Transfer vulnerabilities to steal sensitive data. The alert followed widespread breaches of public- and private-sector organizations.
Attack chain
- Zero-day SQL injection. Threat actors weaponized CVE-2023-34362 and related flaws to execute remote commands on MOVEit Transfer servers.
- Data exfiltration. Compromised servers were used to create new admin accounts, deploy web shells, and exfiltrate database contents to attacker-controlled infrastructure.
- Extortion. Victims faced double-extortion tactics, with stolen data posted on CL0P leak sites if ransom demands were not met.
Mitigation guidance
- Apply vendor patches or disconnect vulnerable MOVEit Transfer instances until updates are verified.
- Search for indicators of compromise including unexpected files in the
MOVEit\wwwrootdirectory, unauthorized accounts, and anomalous outbound traffic. - Implement network segmentation and application allowlisting to restrict access to managed file transfer systems.
Program considerations
- Third-party risk. Managed service providers and contractors operating MOVEit must notify customers and coordinate remediation to meet contractual obligations.
- Regulatory reporting. Data exfiltration may trigger state breach notification laws, SEC disclosure expectations, and sector-specific mandates.
- Lessons for future zero-days. The advisory reinforces the need for rapid patch management, exploit detection, and resilience planning for secure file transfer solutions.