MOVEit Transfer Exploited by CLOP Ransomware — June 7, 2023

High-level summary

On 7 June 2023, CISA and the FBI issued Cybersecurity Advisory AA23-158A describing how CL0P ransomware actors exploited critical SQL injection vulnerabilities in Progress Software's MOVEit Transfer managed file transfer (MFT) solution. The exploitation campaign resulted in one of the largest data breach incidents of 2023, affecting hundreds of organizations globally including government agencies, financial institutions, healthcare providers, and educational institutions.

Attack Campaign Overview

The CL0P ransomware group conducted a coordinated exploitation campaign targeting MOVEit Transfer deployments worldwide:

• Zero-day exploitation: Threat actors weaponized CVE-2023-34362 and related vulnerabilities as zero-days before patches were available, maximizing the exploitation window.
• Mass targeting: Unlike typical ransomware operations targeting individual organizations, CL0P exploited MOVEit at scale, compromising hundreds of organizations within days.
• Data theft focus: The campaign focus ond data exfiltration over encryption, using double-extortion tactics to pressure victims into paying ransoms to prevent data publication.
• Supply chain impact: Many victims were compromised through their use of third-party service providers running vulnerable MOVEit instances, amplifying the incident's reach.

Technical Vulnerability Analysis

The MOVEit Transfer vulnerabilities enabled complete compromise of affected systems:

• CVE-2023-34362 (Critical): SQL injection vulnerability in the MOVEit Transfer web application allowing unauthenticated attackers to access the database and execute arbitrary commands.
• CVE-2023-35036 (Critical): Additional SQL injection vulnerabilities discovered during subsequent security review.
• CVE-2023-35708 (Critical): Further SQL injection flaws identified as Progress Software conducted full code review.
• Attack surface: MOVEit Transfer installations exposed to the internet were directly vulnerable to exploitation without authentication.

Attack Chain Methodology

The advisory details the multi-stage attack methodology employed by CL0P actors:

• Vulnerability scanning: Attackers identified internet-facing MOVEit Transfer instances through automated scanning and potentially dark web intelligence.
• SQL injection exploitation: Initial access was achieved by exploiting the SQL injection vulnerabilities to execute arbitrary database queries.
• Web shell deployment: Attackers deployed web shells (commonly named "human2.aspx") in the MOVEit wwwroot directory to maintain persistent access.
• Account creation: Unauthorized administrative accounts were created to ensure continued access even if web shells were discovered.
• Data exfiltration: Database contents, file transfers, and configuration data were exfiltrated to attacker-controlled infrastructure.
• Extortion communications: Victims received ransom demands threatening publication of stolen data on CL0P leak sites if payments were not made.

Victim Impact and Scope

The MOVEit exploitation campaign affected organizations across multiple sectors:

• Government agencies: Multiple U.S. federal agencies and state governments confirmed data exposure from MOVEit-related breaches.
• Financial services: Banks, insurance companies, and investment firms using MOVEit for secure file transfers were compromised.
• Healthcare: Hospitals, health systems, and healthcare service providers reported patient data exposure.
• Education: Universities and school districts lost student and employee data through compromised MOVEit systems.
• Service providers: Managed service providers and payroll processors using MOVEit exposed data belonging to their customers.

The total number of affected individuals reached tens of millions as breach notifications continued throughout 2023.

Indicators of Compromise

Your security team should search for the following indicators associated with MOVEit exploitation:

• Web shell files: Look for unexpected.aspx files in the MOVEit\wwwroot directory, particularly "human2.aspx" or similar naming patterns.
• Unauthorized accounts: Audit MOVEit administrative accounts for unexpected entries created during the exploitation window.
• Anomalous network traffic: Review outbound connections from MOVEit servers for data exfiltration to unknown destinations.
• Database activity: Examine MOVEit database logs for unusual queries or bulk data access patterns.
• File system changes: Monitor for new files created in web-accessible directories or modifications to existing application files.

Mitigation and Remediation

If you are affected, implement the following measures to address MOVEit vulnerabilities:

• Apply vendor patches: Install all available Progress Software security patches for MOVEit Transfer immediately. Multiple patches have been released addressing the full chain of vulnerabilities.
• Disconnect if unpatched: If patches cannot be immediately applied, disconnect vulnerable MOVEit instances from the network until updates are verified.
• Forensic investigation: Conduct thorough forensic analysis of MOVEit servers to identify potential compromise before the exploitation window closed.
• Credential rotation: Reset all MOVEit administrative credentials and API keys that may have been exposed.
• Network segmentation: Implement network segmentation to limit access to MOVEit servers from general-purpose networks.
• Application allowlisting: Deploy application control policies to prevent unauthorized web shells from executing.

Third-Party Risk Considerations

The MOVEit incident highlights significant third-party risk management implications:

• Vendor notification: Managed service providers and contractors operating MOVEit must notify affected customers per contractual and legal obligations.
• Supply chain assessment: If you are affected, inventory whether business partners use MOVEit for file transfers that may contain their data.
• Contractual review: Evaluate vendor contracts for security requirements, breach notification timelines, and liability provisions.
• Alternative solutions: Consider whether alternative secure file transfer mechanisms can reduce concentration risk.

Regulatory and Legal Implications

Data exfiltration from MOVEit compromises triggers multiple regulatory considerations:

• State breach notification: Organizations must comply with state breach notification laws based on affected individuals' residency.
• SEC disclosure: Public companies face materiality assessments and potential disclosure obligations under SEC cyber incident rules.
• Sector-specific requirements: HIPAA, GLBA, FERPA, and other sector regulations impose specific breach reporting requirements.
• Class action exposure: Numerous class action lawsuits have been filed against organizations affected by MOVEit breaches.

Lessons for Future Incidents

The MOVEit campaign provides several lessons for enterprise security programs:

• Maintain full inventory of file transfer solutions and their exposure to the internet
• Implement rapid patch deployment capabilities for critical business applications
• Develop incident response playbooks specifically for managed file transfer compromises
• Establish communication protocols with service providers for coordinated incident response
• Consider defense-in-depth controls including web application firewalls and anomaly detection for MFT systems

Closing analysis

The MOVEit Transfer exploitation campaign represents one of the most significant cybersecurity incidents of 2023, demonstrating how vulnerabilities in widely-deployed business applications can create cascading impacts across entire sectors. If you are affected, use this incident to evaluate their exposure to similar risks from other enterprise software platforms and strengthen their ability to respond rapidly when critical vulnerabilities emerge in business-critical systems.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 90/100 · November 17, 2023

NIST Issues SP 800-171 Rev. 3 Final Public Draft — November 17, 2023

The draft updates controlled unclassified information protections with supply chain, logging, and continuous monitoring requirements.

Cybersecurity · Credibility 91/100 · May 10, 2024

CISA, FBI, and HHS Warn of Black Basta Ransomware Surge — May 10, 2024

CISA's Black Basta ransomware advisory provided detailed TTPs and IOCs. The group targets healthcare and critical infrastructure using double extortion. Review the technical indicators and ensure your detection…

Cybersecurity · Credibility 92/100 · July 2, 2021

Kaseya VSA supply chain ransomware attack

On 2 July 2021 REvil ransomware operators exploited vulnerabilities in Kaseya VSA remote management software, impacting approximately 1,500 downstream organizations through managed service providers.

Cybersecurity · Credibility 88/100 · January 29, 2020

ENISA Threat Landscape 2019 report

ENISA published its 2019 Threat Landscape report highlighting top attack vectors like phishing, ransomware, and supply-chain compromises with recommendations for operators and policymakers. The analysis provides an…

Cybersecurity · Credibility 92/100 · July 13, 2023

ONCD Releases National Cybersecurity Strategy Implementation Plan — July 13, 2023

The ONCD’s July 2023 National Cybersecurity Strategy Implementation Plan assigns 69 initiatives, 18 high-impact deliverables, and agency accountability checkpoints that boards must track while sequencing technology…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

June 7, 2023

Coverage pillar

Cybersecurity

Source credibility

92/100 — high confidence

Topics

United States · Ransomware · Supply chain · Managed file transfer

Sources cited

3 sources (cisa.gov, progress.com, iso.org)

Reading time

5 min

References

1. AA23-158A CL0P Ransomware Gang Exploits MOVEit Transfer Vulnerability
2. Progress Software MOVEit Transfer Security Advisory
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization