BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Three Years After Cl0p MOVEit: The Vendor IR Lessons That Stuck

Threat Intelligence

The May 2023 MOVEit campaign hit 2,700 organisations through a single vendor vulnerability. Three years on, we audit the managed file transfer landscape and the vendor incident response playbooks that actually changed.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 7, 2024 · 7 min read

#cl0p#moveit#supply-chain#threat-intelligence

Cl0p's MOVEit Transfer campaign in May 2023 is still the largest single supply chain ransomware event by victim count. 2,700 organisations, 95 million individuals, a single zero-day in a Progress Software product. We did six MOVEit-adjacent incident responses in 2023. Looking back, the lessons we drew then have aged well. The vendors who learned the right ones look different in 2024 from the vendors who did not.

The managed file transfer audit

Most enterprises still run more managed file transfer products than they realise. We surveyed 40 client environments in early 2024 and found an average of 2.8 MFT products per organisation, ranging from sanctioned MOVEit deployments to shadow installations of FileCatalyst, GoAnywhere, Cleo Harmony, and OpenText. The Cl0p group exploited zero days in MOVEit, GoAnywhere, and Cleo within an 18-month window. The pattern is the product class, not the vendor.

Inventory every MFT product including shadow installations. Use network sensors not just asset management, because shadow MFT often runs on developer-managed VMs.
Confirm internet exposure for every MFT instance. The Cl0p campaign required internet-facing admin endpoints. Most MFTs do not need them.
Require WAF rules in front of every internet-facing MFT, even when the vendor says it is not needed.

Vendor incident response readiness

Progress Software's response to MOVEit was reasonable but slow by modern standards. The initial CVE went public on 31 May 2023. Cl0p had been exploiting it since 27 May. The four-day window was enough for the campaign to reach most victims. Three years on, the vendors we audit have largely moved to a faster cadence.

4 days

between Cl0p exploitation and public CVE for MOVEit

2,700+

organisations affected globally

95M

individuals whose data was exposed

What good vendor IR looks like in 2024

We rate vendor IR readiness on five criteria when we do third-party assessments for clients. The bar has risen across the industry but unevenly.

Time from internal detection to customer notification: best-in-class is under 24 hours, median across vendors is still 5 to 7 days
Indicator publication speed: best vendors publish IOCs and YARA rules within 48 hours of the initial advisory
Patch availability versus advisory publication: leading vendors release patches simultaneously with advisories, laggards still take days
Customer-side detection guidance: include logging changes, configuration tightening, and detection rules, not just patching steps
Post-incident transparency: detailed root cause publication within 30 days, including process changes

Third-party data exposure procedures

Most of the MOVEit damage was not first-order victims. It was second-order: a benefits administrator gets breached, and 200 client companies have their employee data exposed. The data subject notification cascade is what made the campaign so politically charged. Three years on, the procedures that mature organisations have built look something like this:

Maintain a third-party data inventory by data category, not just by vendor. When a vendor breach happens, you need to know in minutes which of your data categories are at risk, not which vendors. We have seen organisations reduce notification timeline from 4 weeks to 6 days by indexing the data inventory the right way.

When your vendor gets breached, your clock has already started. The notification preparation needs to be done in advance, not under deadline.

Detection guidance that aged well

Our 2023 MOVEit detection guidance focused on three things: webshell artefacts in IIS, unusual SQL activity from the MOVEit service account, and large outbound transfers from MOVEit hosts. All three remain effective against current MFT exploitation campaigns. The class of attack rarely changes much. Webshells get dropped, databases get scraped, data gets exfiltrated. The signatures evolve but the chokepoints persist.

Contract clauses that matter

Procurement teams asked us in 2023 what contract changes to push for. Three years on, here are the clauses that have actually held up in real incidents:

Notification within 24 hours of confirmed unauthorised access, regardless of investigation status
Right to audit security controls annually, not just on initial procurement
Vendor obligation to provide IOCs and forensic artefacts to support customer-side investigation
Direct contractual liability for negligent failure to patch known vulnerabilities within 14 days

The 24-hour notification clause is the one that gets pushed back on hardest by vendors. It is also the one that pays back most in real incidents. Insist on it.

What we still see going wrong

Shadow MFT remains the most common gap. Developer-managed FTP servers running on EC2 instances with admin endpoints exposed. Legacy Cleo installations that nobody owns. Sharepoint sites with anonymous upload links that have been there since 2019. The MOVEit campaign should have triggered a sweep of every file transfer surface. Many organisations did the sweep in mid-2023 and have not repeated it. The shadow installations come back. Plan to sweep annually and assume the inventory you have is incomplete.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.