MOVEit Cl0p Cascade: How One Zero-Day Compromised Federal Agencies and Fortune 500

Incident summary

MOVEit Transfer is a managed file transfer (MFT) product used by financial institutions, federal agencies, healthcare organizations, and law firms to exchange files with external partners. Progress Software disclosed CVE-2023-34362 on May 31, 2023, four days after the Cl0p ransomware group began mass exploitation.

Per the CISA AA23-158A advisory, the vulnerability was a SQL injection flaw in the MOVEit Transfer web application that permitted unauthenticated attackers to obtain database credentials, exfiltrate stored files, and place a web shell named human2.aspx for persistence. Cl0p deployed exploitation tooling at scale, hitting MOVEit instances faster than affected organizations could patch.

Public victim count crossed 2,500 organizations by August 2023 per Emsisoft tracking. Confirmed disclosed victims included the US Department of Energy, Oregon DMV, Louisiana Office of Motor Vehicles, Shell, BBC, British Airways, and Ernst and Young. Estimated individuals whose personal data was exposed exceeds 95 million.

Attack technique

MITRE ATT&CK maps initial access to T1190, Exploit Public-Facing Application. The SQL injection chain abused MOVEit's MSSQL backend to write files into the application's wwwroot directory and call into them as web shells. The web shell, human2.aspx, accepted authenticated requests from the attacker and executed administrative database operations including listing files and exfiltrating contents.

Mandiant attributed the campaign to UNC4857, which Microsoft tracks as Lace Tempest. Both names map to a financially motivated affiliate of the Cl0p ransomware group. Cl0p's operational pattern departed from typical RaaS playbooks. Rather than encrypting victim systems, the group exfiltrated data and listed victims on the Cl0p data leak portal demanding payment to prevent public release.

Progress Software disclosed two follow-on CVEs (CVE-2023-35036 on June 9, 2023 and CVE-2023-35708 on June 15, 2023) after researchers and Cl0p both demonstrated additional exploit chains in MOVEit. The pattern of multiple zero-days in a single product over weeks suggested either parallel research efforts or shared tooling within the threat actor community.

Impact and consequences

The campaign exposed federal employee personal data through compromises at Genworth Financial (2.5 million records), the Oregon DMV (3.5 million records), and several Department of Energy contractors. State unemployment systems in Louisiana and Colorado disclosed driver's license data on millions of residents.

Class action litigation against Progress Software and downstream MOVEit operators reached $50 million in settlements by mid-2024 per public court filings. Several state attorneys general including Maine and California opened investigations under their respective data breach notification statutes.

The incident accelerated CISA's Secure by Design initiative. CISA Director Jen Easterly cited MOVEit explicitly in February 2024 testimony before the House Homeland Security Committee as an example of why software vendors must ship secure defaults rather than patch after exploitation. The April 2024 Secure by Design pledge, signed by 68 software vendors, committed signatories to MFA defaults, default deny on internet-exposed services, and faster vulnerability disclosure.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

Lessons for defenders

Treat managed file transfer products as web applications. MOVEit, GoAnywhere MFT, and Accellion FTA have all been mass-exploited. The exposed surface is identical to a generic web app, and the same SAST and DAST coverage applies. Many security teams classified MFT as infrastructure and excluded it from web app testing.

Vendor risk management needs to extend beyond questionnaire responses. Several MOVEit victim organizations had documented vendor security questionnaires from Progress on file. Questionnaires do not test for SQL injection. Independent web application testing of vendor products handling sensitive data is now part of mature third-party risk programs.

Reduce internet-exposed file transfer surface. Many MOVEit instances were accessible directly from the public internet without any access control or VPN gating. Architecting MFT behind VPN, identity-aware proxy, or zero trust network access reduces the exploitable population to authenticated users only.

Zero-day response capability matters for MFT-class products. The window between Cl0p exploitation and Progress patch availability was four days. Organizations that could detect the human2.aspx web shell artifact via EDR file integrity monitoring caught the compromise before patch availability. Detection-engineering investment in vendor product telemetry pays off here.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

• /cybersecurity/careers/penetration-tester
• /cybersecurity/careers/application-security-engineer
• /cybersecurity/careers/threat-intelligence-analyst

Related Decipher Files

• SolarWinds Sunburst: How Supply Chain Compromise Bypassed Every Endpoint Defense

Frequently asked questions