Continue your mission
A mass exploitation of the MOVEit Transfer platform via a zero-day that compromised 2,700+ organizations and 90 million individuals through pure data extortion.
In late May 2023, the Cl0p ransomware gang exploited a zero-day vulnerability (CVE-2023-34362) in MOVEit Transfer, a widely used managed file transfer (MFT) solution by Progress Software. The attack compromised over 2,700 organizations and exposed the personal data of more than 90 million individuals worldwide. Victims included government agencies (US Department of Energy, multiple state governments), financial institutions (Deutsche Bank, ING Bank), healthcare organizations, universities, and major corporations including Shell, BBC, British Airways, and Ernst and Young.
Cl0p had discovered and tested the vulnerability as early as 2021, waiting two years before launching mass exploitation during the US Memorial Day holiday weekend when security staffing was minimal.
The vulnerability was an injection flaw in MOVEit Transfer's web application that allowed unauthenticated attackers to access the underlying database. Cl0p exploited the vulnerability to deploy a custom web shell called LEMURLOOT (human2.aspx) that provided persistent access, the ability to enumerate files, download data, and create new administrative accounts.
The attack was highly automated. Cl0p deployed scripts that systematically identified MOVEit installations across the internet, exploited the injection flaw, installed the web shell, and began bulk data exfiltration within hours. The group used legitimate cloud storage services and Tor infrastructure to transfer stolen data. Unlike traditional ransomware operations, Cl0p did not encrypt victim systems. Their operation was pure data theft and extortion, threatening to publish stolen data on their leak site if victims did not pay.
Progress Software released patches on May 31, but by then Cl0p had already compromised the majority of their targets. Additional vulnerabilities (CVE-2023-35036 and CVE-2023-35708) were discovered during the incident response, requiring multiple patch cycles.
The MOVEit breach became the largest single exploit event in ransomware history by victim count. It exposed the systemic risk of file transfer tools that organizations trust with their most sensitive data. The breach accelerated the decline of legacy MFT solutions, prompted regulatory scrutiny of software vendor security practices, and demonstrated that ransomware groups had evolved beyond encryption to pure data extortion. It underscored that zero-day vulnerabilities in widely deployed enterprise software can create mass-casualty cyber events affecting entire sectors simultaneously.
CDA Theater missions that address topics covered in this article.
The Enigma machine was an electro-mechanical cipher device used primarily by Nazi Germany during World War II to encrypt military communications.
On November 2, 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating computer program onto the ARPANET, the research network that would become the public internet.
Written by CDA Editorial
Found an issue? Help improve this article.