The 2023 MOVEit Transfer breach was one of the most impactful supply chain attacks since SolarWinds. A single SQL injection vulnerability in a file transfer software used by thousands of organizations led to the theft of data from over 2,700 organizations, including government agencies, banks, airlines, and healthcare providers. The threat group Cl0p conducted the attack and claimed over $100 million in ransom from victims.
What is MOVEit Transfer?
MOVEit Transfer is a Managed File Transfer (MFT) solution made by Progress Software, used by organizations to securely transfer sensitive files — payroll data, patient records, financial reports, and regulatory submissions. It is particularly common in healthcare, finance, and government sectors. Its prevalence in high-value data environments made it an extraordinarily valuable target.
The Vulnerability: CVE-2023-34362
On May 31, 2023, Progress Software disclosed a critical SQL injection vulnerability in MOVEit Transfer’s web application. CVSS score: 9.8. The vulnerability existed in how MOVEit’s HTTPS interface processed certain requests — an attacker could send specially crafted SQL statements through HTTP parameters, bypass authentication entirely, and execute arbitrary SQL against the database.
# CVE-2023-34362 attack pattern (reconstructed for educational purposes)
# The vulnerable endpoint: /api/v1/token and /machine2machine/token
# Attacker sends SQL injection in POST body to bypass authentication:
POST /api/v1/token HTTP/1.1
Host: victim-moveit.example.com
Content-Type: application/x-www-form-urlencoded
username=';SELECT+CONVERT(INT,@@version)--&password=anything
# After authentication bypass, Cl0p deployed a webshell called "LEMURLOOT"
# Webshell was saved as: human2.aspx (mimicking MOVEit's own file naming)
# LEMURLOOT provided file listing, download, and system info capabilities
# Detection: Look for suspicious ASPX files in MOVEit directory
find /MOVEit/wwwroot/ -name "*.aspx" -newer /MOVEit/wwwroot/MOVEitTransfer.aspx
# Any ASPX newer than the product installation date is suspicious
# Check for webshell IOCs
grep -r "LEMURLOOT|X-siLock-Comment|X-siLock-Step" /MOVEit/logs/The Attack Timeline
Late 2022 / Early 2023 — Initial Testing
Mandiant later determined that Cl0p had been testing the MOVEit vulnerability as early as 2021, with more targeted testing in late 2022. This is consistent with Cl0p’s pattern of identifying zero-days months before deploying them — maximizing the window during which victims have no patch.
May 27-28, 2023 — Memorial Day Weekend Attack
Cl0p launched the mass exploitation campaign over the US Memorial Day weekend — deliberately choosing a time when security teams were understaffed. In roughly 24-48 hours, they exploited vulnerable MOVEit instances at hundreds of organizations simultaneously, deployed LEMURLOOT webshells, and exfiltrated data.
The speed and scale required automation — Cl0p had industrialized the exploitation into a pipeline that could process thousands of targets in parallel.
May 31, 2023 — Progress Software Discloses
Progress Software publicly disclosed the zero-day and released patches within 48 hours — an admirably fast response. However, Cl0p had already exfiltrated data from most of their targets before the disclosure. Patching at this point closed the door, but the data was already gone.
June 2023 — Cl0p’s Extortion Campaign
Cl0p began contacting victim organizations, demanding ransom payments with a deadline of June 14. Organizations that did not pay had their stolen data published on Cl0p’s dark web leak site. Notable victims included:
- Shell Oil: Employee and customer data exposed
- BBC: Staff personal information
- British Airways: Employee data via their payroll provider (Zellis)
- US Department of Energy: Data from Oak Ridge National Laboratory
- Minnesota Department of Education: Data on 95,000 students
- Maximus: Health data of up to 11 million individuals
- Colorado Department of Health Care Policy: Data of 4 million people
LEMURLOOT Webshell Analysis
# LEMURLOOT characteristics (YARA rule)
rule LEMURLOOT_Webshell {
meta:
description = "Detects LEMURLOOT MOVEit webshell used by Cl0p"
reference = "CVE-2023-34362"
strings:
$a = "X-siLock-Comment" ascii
$b = "X-siLock-Step1" ascii
$c = "X-siLock-Step2" ascii
$d = "siLock" ascii
$e = "MOVEitISAPI" ascii
condition:
3 of them
}
# Run YARA scan against MOVEit directory
yara -r lemurloot.yar /path/to/moveit/wwwroot/
# LEMURLOOT was compiled .NET code disguised as an ASPX file
# Key behaviors:
# - Listed all files in the database
# - Downloaded files matching specific criteria
# - Created/deleted files to cover tracks
# - Used custom header "X-siLock-Comment" for C2 authentication
# Network IOCs: Cl0p C2 IPs (May 2023)
# 5.252.177.127
# 194.165.16.77
# 136.243.108.14
# Check for connections to these IPs:
grep -E "5.252.177.127|194.165.16.77|136.243.108.14" /var/log/firewall.logHow to Detect the MOVEit Attack
# 1. Check MOVEit logs for SQL injection indicators
grep -E "';|SELECT|UNION|CAST|CONVERT|EXEC|xp_|0x" /MOVEitTransfer/Logs/MOVEit_Audit.log
# 2. Look for unusual API authentication (the bypass used the API endpoint)
grep "api/v1/token|machine2machine" /var/log/apache2/access.log | grep "POST"
# 3. Check for new ASPX files (webshell)
find /MOVEitTransfer/ -name "*.aspx" -newer /etc/passwd
# 4. Check database for unauthorized admin accounts
# MOVEit database (MS SQL):
SELECT * FROM moveittransfer.users WHERE IsAdmin = 1 ORDER BY CreateStamp DESC
# 5. Splunk query for MOVEit exploitation
index=web_logs dest_port=443 (uri_path="*/api/v1/token*" OR uri_path="*/machine2machine*")
| rex field=uri_query "(?i)(?P<sqli>SELECT|UNION|CAST|CONVERT|EXEC)"
| where isnotnull(sqli)
| stats count by src_ip uri_path sqli
# 6. Check for data exfiltration (large outbound transfers)
index=firewall action=allow dest_port=443 bytes_out > 100000000
| stats sum(bytes_out) as total_out by src_ip dest_ip
| sort -total_out | head 20Prevention Lessons
1. Managed File Transfer Exposure Audit
# Identify all internet-facing file transfer applications
nmap -sV -p 80,443,8080,8443 --script http-title YOUR_IP_RANGE | grep -i "moveit|goAnywhere|globalscape|Serv-U"
# Check if MOVEit is accessible from internet (should be behind VPN)
curl -I https://your-moveit-instance.com # Should return 403 or redirect to VPN
# Network segmentation check: MFT servers should not have direct internet access
# Traffic flow: Internet -> WAF/Reverse Proxy -> MFT Application -> Internal Network2. Web Application Firewall Rules for SQLi
# ModSecurity rules to detect SQL injection
SecRule ARGS "@detectSQLi" "id:100001,phase:2,deny,log,msg:'SQL Injection Detected'"
# OWASP Core Rule Set includes SQLi detection by default
# Enable in Apache:
Include /etc/modsecurity/crs/crs-setup.conf
Include /etc/modsecurity/crs/rules/*.conf3. File Integrity Monitoring for Web Directories
# Wazuh FIM to detect webshell drops
# In /var/ossec/etc/ossec.conf:
<syscheck>
<directories check_all="yes" realtime="yes" report_changes="yes">/MOVEitTransfer/wwwroot</directories>
</syscheck>
# This generates an alert within seconds of a new ASPX file being written
# Combined with Wazuh active response: automatically quarantine the file4. Third-Party Risk Management
Many MOVEit victims were not direct MOVEit customers — they were customers of companies like Zellis (payroll processor) or PBI Research (benefits auditor) who used MOVEit. The attack demonstrated that your security posture extends to every vendor who handles your data. Mandatory security questionnaires, SOC 2 reports, and contractual security requirements for data processors are now non-negotiable.
The MOVEit breach and SolarWinds before it prove that supply chain attacks are the new frontier of large-scale cybercrime. Cl0p’s industrialization of zero-day exploitation — identifying, developing, and mass-deploying exploits at scale — represents a maturity of criminal operations that demands equally mature defensive responses including zero trust, continuous monitoring, and vigorous third-party risk management.