MOVEit Transfer is a managed file transfer application built by Progress Software (formerly Ipswitch) and used by thousands of large organizations — government agencies, financial institutions, healthcare providers, law firms, and major corporations — to move sensitive data between systems and trading partners securely and in compliance with regulatory requirements. It was the trusted conduit for exactly the kind of data Cl0p was hunting: HR records, payroll data, financial documents, customer personally identifiable information, and government files. That trusted position is precisely what made it valuable as an attack target.
CVE-2023-34362: The SQL Injection That Opened Everything
The vulnerability at the center of the campaign, assigned CVE-2023-34362, is a SQL injection flaw in MOVEit Transfer's web application. SQL injection — a technique where an attacker inserts malicious database query syntax into a web application input to manipulate the underlying database — is one of the most well-documented vulnerability classes in cybersecurity, appearing consistently in OWASP's Top 10 list since 2003. Finding a new instance of it in a product designed to handle sensitive regulated data was, in retrospect, a significant failure of secure development practice.
The specific flaw resided in MOVEit Transfer's handling of web application requests. By crafting a malicious payload and sending it to the MOVEit Transfer web interface, an unauthenticated attacker could interact directly with the application's underlying database, escalate privileges, and execute commands beyond the software's intended functionality. Huntress demonstrated through technical analysis that the vulnerability could actually lead to full remote code execution on the server — not merely database access. This was a pre-authentication flaw, requiring no credentials, no prior foothold, and no social engineering. Any internet-accessible MOVEit Transfer instance was vulnerable. According to Shodan queries at the time of active exploitation, approximately 2,500 internet-facing MOVEit servers were exposed, with 73% located in the United States.
Evidence from Kroll's incident response investigations and Mandiant's analysis suggests Cl0p had the MOVEit exploit prepared and operational well before the May 2023 campaign began — potentially since 2021. Mandiant observed that an IP address used for CVE-2023-34362 exploitation had been in use by FIN11 (the threat cluster overlapping with Cl0p) as early as mid-January 2023. Kroll stated that Cl0p appeared to have the MOVEit exploit completed at the time of the GoAnywhere MFT campaign in early 2023 and chose to execute the two campaigns sequentially rather than simultaneously. This level of pre-planning points to a deliberate, organized operation — not opportunistic discovery.
MOVEit Transfer supports three database backends: MySQL, Microsoft SQL Server, and Azure SQL. CVE-2023-34362 affected all supported backend configurations and all versions of MOVEit Transfer from 2020.0.x through 2023.0.0. Progress Software disclosed the vulnerability and released a patch on May 31, 2023. Active exploitation had begun four days earlier, on May 27. By the time the patch was available, significant exfiltration had already occurred across a large number of targets.
The LEMURLOOT Web Shell: Persistence, Reconnaissance, and Exfiltration
After exploiting the SQL injection vulnerability to gain initial access, Cl0p deployed a custom ASP.NET web shell named LEMURLOOT on compromised MOVEit Transfer servers. Written in C# and deployed as an ASPX file, LEMURLOOT was designed specifically for the MOVEit Transfer environment — it imports MOVEit-specific libraries including MOVEit.DMZ.ClassLib, MOVEit.DMZ.Application.Files, and MOVEit.DMZ.Application.Users to interact directly with the file transfer software's data structures.
The web shell was typically installed with the filename human2.aspx — a deliberate choice designed to blend in with MOVEit Transfer's legitimate human.aspx component, which implements the web interface. Distinguishing the malicious file from the legitimate one required attention to the filename suffix rather than a casual review of the server's file list. The web shell required authentication for incoming connections: operators provided a hard-coded password via an HTTP header named X-siLock-Comment, and if the header was absent or the password incorrect, LEMURLOOT returned a 404 Not Found response — a countermeasure against the simplest web shell discovery technique of issuing a GET request to the file path.
LEMURLOOT's operator commands included the ability to enumerate files and folders in the MOVEit Transfer system, retrieve configuration information and stored file data, create a new administrator-privileged account with a randomly generated username and a LoginName and RealName value set to "Health Check Service" (to blend with legitimate service accounts), delete that account after operations concluded, interact with Azure Blob storage for organizations using the cloud-hosted version, and retrieve files from the MOVEit Transfer database matching operator-specified criteria.
LEMURLOOT samples were uploaded to VirusTotal beginning May 28, 2023, from multiple countries including Italy, Pakistan, and Germany — suggesting that exploitation had begun immediately after Cl0p's initial launch and that the campaign was already touching organizations across multiple continents before Progress Software made its first public disclosure on May 31. In some confirmed cases, Mandiant observed data theft occurring within minutes of LEMURLOOT deployment. The compression of the timeline between compromise and exfiltration meant that organizations that applied the patch immediately after May 31 may still have been victimized in the preceding four days.
A critical operational detail documented by Kroll across multiple incident response engagements was the speed of the attack. Kroll observed a similar fact pattern across many cases where the activity occurred across multiple organizations within seconds or minutes of each other — suggesting automated or near-automated exploitation tooling that identified vulnerable instances and executed the full compromise sequence with minimal manual intervention per target. This automation was essential to Cl0p's ability to breach hundreds of organizations in a matter of days.
The Campaign Timeline
May 27, 2023: Earliest confirmed exploitation of CVE-2023-34362. LEMURLOOT web shells deployed and data exfiltration begins across multiple targets simultaneously.
May 28, 2023: First LEMURLOOT samples uploaded to VirusTotal from multiple countries. Exploitation is already underway against targets in Europe and North America.
May 31, 2023: Progress Software discloses the vulnerability and releases the first patch. Organizations running MOVEit Transfer are urged to apply immediately and investigate for signs of compromise. For a significant number of organizations, the patch arrives after their data has already been stolen.
June 2, 2023: CISA adds CVE-2023-34362 to its Known Exploited Vulnerabilities catalog. Microsoft attributes the campaign to Lace Tempest — a threat cluster that overlaps with FIN11 and Cl0p's operational infrastructure.
June 5, 2023: Major UK organizations publicly disclose breaches, including the BBC, British Airways, Boots, and Aer Lingus — all compromised through their shared use of payroll and HR outsourcing provider Zellis, which used MOVEit Transfer for data handling. British Airways employee data including national insurance numbers, dates of birth, home addresses, and payroll information was exposed. BBC employees' personal data was similarly exposed. These victims had no direct relationship with Progress Software — they were compromised through their vendor's use of the vulnerable software.
June 6, 2023: Cl0p publicly claims responsibility for the campaign on its dark web data leak site. The group announces it has stolen data from hundreds of companies and sets a June 14 deadline for victim organizations to contact them or face having their data published.
June 12, 2023: Ernst & Young, Transport for London, and Ofcom separately disclose impacts. Ofcom confirms that personal and confidential information was downloaded.
June 14, 2023: The first batch of victim names is published on Cl0p's leak site. Thirteen companies are named initially, with the list continuing to grow in subsequent weeks.
June 15, 2023: The U.S. Department of Energy is confirmed among the affected U.S. government organizations. The following day, Louisiana's Office of Motor Vehicles and Oregon's Driver and Motor Vehicle Services disclose that millions of residents' data was exposed through their state agencies' use of MOVEit Transfer.
July 6, 2023: Progress discloses three additional SQL injection vulnerabilities — CVE-2023-36934 (critical), CVE-2023-36932 (high), and CVE-2023-36933 (high) — bringing the total MOVEit-related CVEs from this period to six. Progress commits to releasing ongoing security updates on a predictable timeline, acknowledging the extent of the code quality issues in the platform.
The Supply Chain Cascade: Why Zellis Mattered
The BBC, British Airways, and Boots did not use MOVEit Transfer directly. They were compromised because their payroll and HR services provider, Zellis, used MOVEit Transfer to handle their data — and Zellis was compromised. These organizations had no visibility into Zellis's specific software stack, no ability to patch Zellis's systems, and no contractual requirement that would have alerted them to Zellis's use of the vulnerable product.
This supply chain cascading effect is what distinguishes the MOVEit campaign from a typical direct-attack data breach. The organizations that appeared in headlines as victims — BBC, British Airways, Aer Lingus, Shell, PricewaterhouseCoopers, Ernst & Young, Deloitte, Deutsche Bank, Sony, Siemens, the U.S. Department of Energy, the U.S. Department of Agriculture, the Louisiana Office of Motor Vehicles, the Colorado Department of Health Care Policy and Financing, and hundreds of others — were many layers removed from the exploited vulnerability. They were victimized not because of any failure in their own security controls, but because a software product in their vendor's supply chain had a critical flaw that was exploited before any patch existed.
The Zellis vector alone produced eight confirmed data compromises from a single MOVEit instance. CISA estimated that over 3,000 U.S. organizations and 8,000 global organizations were ultimately affected. Final counts from researchers placed the number of compromised organizations at over 2,700, with personal data exposed for an estimated 93 million individuals. Approximately 80% of victims were North America-based, reflecting MOVEit Transfer's concentration in that market. Finance, professional services, and education collectively accounted for over 48% of reported victims.
Nearly 75% of individuals compromised by the MOVEit campaign can be attributed to just nine victim organizations, according to Resecurity analysis. This concentration reflects how a single large data holder — a state motor vehicle registry, a major financial institution, a federal agency — can represent millions of individuals in a single server compromise. The downstream effect of data from these organizations eventually surfacing on dark web forums and in subsequent phishing and identity theft campaigns extended the harm well beyond the immediate breach notification period.
Cl0p's Extortion Model: No Encryption, No Negotiation
A defining characteristic of the MOVEit campaign was Cl0p's decision not to deploy ransomware encryption. Instead of locking victims' files and demanding payment for decryption keys — the traditional ransomware model — Cl0p focused entirely on data theft and extortion: steal the data, threaten to publish it, demand payment for its deletion.
This shift had significant operational consequences. Organizations that maintain off-site backups can recover from encryption attacks without paying ransom, because the lever that ransomware operators hold — the only key to your encrypted files — can be bypassed. Data theft extortion removes that option. An organization cannot "restore from backup" when the threat is not that their files are locked but that their stolen data will be published. The exposure of employee national insurance numbers, patient records, or customer financial data creates harm regardless of whether systems are restored.
Cl0p also made a notable statement about government data. On its leak site, the group claimed it had deleted data stolen from government organizations, military entities, and children's hospitals — characterizing these as politically inadvisable targets. Independent analysis by researchers could not confirm this claim, and at least some government data appeared to have been retained and was later found in secondary market data dumps. Whether the deletion claim was genuine or simply reputational management, it illustrated Cl0p's calculated public communications approach during the campaign.
Rather than contacting each victim individually with a ransom demand, Cl0p issued a single public statement on its leak site instructing affected organizations to make contact through a specified channel. This mass-extortion-by-announcement approach was designed to work at the scale of hundreds of simultaneous victims while requiring minimal individual operator effort. The U.S. State Department's Rewards for Justice program responded to the campaign by offering a $10 million bounty for information about the Cl0p gang — the same sum previously offered for Conti ransomware operators.
The group's ultimate financial yield from the campaign was estimated at $75 million to $100 million, despite a low percentage of victims opting to pay. A small number of organizations that faced particularly damaging exposures paid high individual ransoms that, aggregated, produced substantial returns. Secondary market monetization of stolen data — selling records to other criminal actors via dark web forums — provided additional revenue streams beyond direct extortion.
Progress Software's Response and Subsequent Vulnerabilities
Progress Software's immediate response to the May 31 disclosure received credit from cybersecurity professionals for its speed. The company patched quickly, issued clear guidance, and began communicating directly with customers about indicators of compromise. Within days the patch was available and Progress provided SQL query scripts that administrators could run against their MOVEit databases to audit for the administrator accounts that LEMURLOOT created — accounts with the LoginName "Health Check Service" that were created during active exploitation.
The subsequent discovery of additional SQL injection vulnerabilities in the same codebase — CVE-2023-35036, CVE-2023-35708, and then the July batch of three more CVEs — underscored that CVE-2023-34362 was not an isolated coding error but a symptom of broader input validation and parameterization failures throughout MOVEit Transfer's web application code. Progress acknowledged this by committing to ongoing security updates on a predictable schedule and releasing Service Packs designed to address the category of issues, not just individual instances. The pattern of finding one SQL injection vulnerability and then discovering several more upon deeper analysis is exactly what the Kolide commentary captured at the time: "SQLi vulnerabilities are sort of like cockroaches. If you create the conditions to have any, then you never just have one."
By mid-July 2023, Progress had released four separate rounds of critical patches. Organizations that applied only the first patch remained vulnerable to subsequent CVEs. Any organization running MOVEit Transfer needed to treat patch application as an ongoing emergency response process over a period of weeks, not a one-time action.
Lasting Impact and the Long Tail
The effects of the MOVEit campaign did not conclude when victims identified the breach and patched their systems. The data stolen in May and June 2023 continued to surface and cause harm for years afterward. In November 2024, a threat actor using the handle Nam3L3ss published data on BreachForums claimed from the MOVEit attacks, including over 2.8 million records from Amazon employee data exfiltrated through a property management vendor who had used the compromised software. Amazon confirmed the breach affected work contact information but not financial data or social security numbers. Hundreds of additional organizations' data from the same 2023 campaign was simultaneously published. Progress Software faced both a Securities and Exchange Commission investigation and dozens of class action lawsuits from affected individuals and organizations.
The financial toll of the campaign was assessed at approximately $9.93 billion in total costs across all affected organizations, accounting for breach response, notification requirements, legal liability, regulatory penalties, operational disruption, and reputational damage. This figure earned the MOVEit campaign the designation of the largest hack in recent history by three months after it began.
Defensive Lessons: What the MOVEit Campaign Demands from Defenders
The MOVEit campaign defines what a successful zero-day supply chain attack looks like and sets the standard for defensive expectations that organizations must plan against. Several specific lessons are actionable.
- Internet-accessible MFT platforms require active monitoring for web shell indicators at all times. LEMURLOOT's deployment pattern — a file named
human2.aspxalongside the legitimatehuman.aspx— is detectable through file integrity monitoring on the MOVEit web directory. Organizations running internet-facing MFT software should maintain baseline file inventories and alert on any new ASPX, PHP, or script file creation in the application directory. Regular review of the list of active administrator accounts — specifically checking for accounts named "Health Check Service" or with randomly generated usernames — can surface LEMURLOOT-created backdoor accounts. - Third-party risk extends to your vendors' software stacks, not just their practices. BBC, British Airways, Boots, and Aer Lingus were victimized through Zellis, not through their own MOVEit deployments. Vendor risk management programs that focus on security questionnaires and compliance certifications without inventorying the specific software vendors use for data handling are structurally incapable of catching this risk vector. Effective third-party risk programs must include software bill of materials (SBOM) visibility for vendors handling sensitive data.
- Pre-authentication vulnerabilities in internet-facing applications must be treated as critical regardless of CVSS score timing. CVE-2023-34362 did not receive a CVSS score before exploitation began. Waiting for a CVSS score to prioritize patching is an insufficient triage approach for pre-authentication flaws in software holding sensitive data. The presence of a pre-authentication vulnerability in an internet-facing, data-rich application should trigger emergency patch response on the same timeline as a known-exploited vulnerability.
- Data exfiltration extortion cannot be mitigated by backup strategy. The MOVEit campaign's shift from encryption to pure exfiltration means that the standard defense against ransomware — maintaining clean, isolated backups — does not prevent the primary harm. Organizations must treat data exfiltration prevention as a separate, distinct security objective from ransomware resilience. DLP controls on MFT servers, network monitoring for large outbound data flows, and anomaly detection on data access patterns are all necessary complements to backup and recovery programs.
- When a major SQL injection vulnerability is found in an application, assume there are more. The disclosure of CVE-2023-34362 was followed by five additional CVEs in the same codebase within weeks. Organizations applying each individual patch without expecting further disclosures were repeatedly re-exposed. The appropriate defensive posture when a major code-quality vulnerability is discovered in a vendor product is to assume a discovery period will follow and plan for continued emergency patching over weeks, not days.
Key Takeaways
- The MOVEit campaign was years in the making. Evidence suggests Cl0p had the exploit ready before the GoAnywhere campaign in early 2023 and chose sequential rather than parallel execution. The group does not simply discover and exploit vulnerabilities — it sits on capabilities and deploys them strategically to maximize impact while managing law enforcement and media attention.
- Data theft without encryption is the extortion model Cl0p has refined to a mass-scale operation. The absence of encryption eliminated the backup recovery option and created harm that persisted for years after the initial breach, as stolen data continued to surface in secondary markets. Ransomware resilience programs built around backup recovery are incomplete defenses against this model.
- 2,700+ organizations and 93 million individuals were affected through a vulnerability in software many of them did not directly run. The supply chain cascade, exemplified by the Zellis-to-BBC/British Airways path, reflects a fundamental limitation of organization-centric security programs. The perimeter of an organization's attack surface extends to every vendor handling its data, including the software those vendors use.
- LEMURLOOT was designed with operational security in mind. The 404 response to unauthenticated requests, the "Health Check Service" account naming to blend with legitimate monitoring, and the integration of MOVEit-specific libraries to interact natively with the file transfer system reflect a threat actor that had invested time in building a capable, stealthy, environment-specific tool — not improvised post-exploitation.
- The MOVEit campaign's effects continued for years. Data surfaced in 2024 including Amazon employee records, with Progress Software still facing legal proceedings years later. The initial incident cost is not the complete financial impact of a mass data theft campaign; the tail of downstream phishing, identity fraud, legal liability, and regulatory consequences extends well beyond the breach notification period.
The MOVEit campaign is the benchmark against which subsequent MFT supply chain attacks — GoAnywhere, Cleo, and whatever comes next — are measured. Cl0p has demonstrated both the capability and the willingness to identify and hold zero-day vulnerabilities in widely-deployed data transfer infrastructure, deploy them at mass scale the moment operational conditions are right, and sustain extortion campaigns against hundreds of organizations simultaneously. The organizations that emerged best from the MOVEit campaign were those with MFT-specific monitoring, rapid patch deployment capabilities, and third-party data handling visibility. Those remain the defining defensive requirements for any organization participating in the modern supply chain.