BIPI
BIPI

MOVEit Aftermath: 2,700 Victims and the Lessons from CVE-2023-34362

Threat Intelligence

SQL injection in MOVEit Transfer let Cl0p hit over 2,700 organizations in one coordinated campaign: the largest breach event of 2023 by confirmed victim count.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 12, 2024 · 11 min read

#cve-2023-34362#moveit#cl0p#sql-injection#ransomware#mft-security

CVE-2023-34362 is a critical SQL injection vulnerability in Progress Software's MOVEit Transfer managed file transfer (MFT) application. CVSS 3.1 base score: 9.8. The Cl0p ransomware group exploited the vulnerability in late May 2023 in a precisely coordinated campaign against thousands of organizations simultaneously, exfiltrating sensitive data and demanding extortion payments. By end of 2023, over 2,700 organizations in 23 countries had confirmed breach notifications.

The SQL Injection Mechanism

MOVEit Transfer's web application contains SQL injection flaws in the MOVEIT_TRANSFER_SESSION database table query handling, exposed through the application's HTTPS web interface. An unauthenticated attacker sends crafted HTTP POST requests to the MOVEit Transfer web application, injecting SQL statements that allow enumeration of the database schema, extraction of session tokens for authenticated users, and ultimately reading of the file transfer database including stored file metadata and paths to files in transit.

Affected Versions

  • MOVEit Transfer 2023.0.0 prior to 2023.0.1
  • MOVEit Transfer 2022.1.x prior to 2022.1.5
  • MOVEit Transfer 2022.0.x prior to 2022.0.4
  • MOVEit Transfer 2021.1.x prior to 2021.1.4
  • MOVEit Transfer 2021.0.x prior to 2021.0.6
  • MOVEit Cloud: patched by Progress before public disclosure
  • MOVEit Automation: separate product, not directly vulnerable to this CVE
undefined
undefined
undefined
undefined
undefined
undefined
undefined
undefined

Cl0p's Coordinated Campaign Strategy

Unlike opportunistic vulnerability exploitation, Cl0p's MOVEit campaign demonstrated significant pre-planning. Mandiant and Microsoft both assessed that Cl0p likely had access to the vulnerability for months before the exploitation window, spending the intervening time identifying high-value targets and pre-staging their operations. The actual exploitation was concentrated into a single U.S. Memorial Day weekend (May 27 to May 31, 2023), maximizing the exfiltration window while security staff response was degraded.

Cl0p reportedly developed the MOVEit exploit as early as 2021 based on SQLi patterns observed in previous MOVEit vulnerabilities. The 2023 campaign was not opportunistic; it was a pre-loaded weapon held until maximum operational conditions were met.

Post-Exploitation: Web Shell Deployment

After achieving SQL injection access, Cl0p deployed a custom web shell named LEMURLOOT written in ASPX. The web shell supported commands to enumerate the MOVEit database, extract Azure Blob Storage account credentials used by MOVEit for cloud-hosted file storage, and exfiltrate files from connected storage. LEMURLOOT used a hardcoded password for authentication and contained anti-analysis features including checks for specific user-agent strings.

  • LEMURLOOT web shell placed at MOVEit web root as human2.aspx or similar name
  • Azure Blob Storage keys extracted for organizations using cloud-backed MOVEit storage
  • Targeted download of specific file types: .pdf, .docx, .xlsx prioritized
  • Cl0p issued public extortion demands via dark web blog rather than encrypting files
  • No ransomware encryption: pure data theft and extortion model

Scale of Impact by Sector

  • Government: Multiple U.S. federal agencies, UK government pension systems
  • Healthcare: Multiple hospital systems and pharmacy benefit managers
  • Financial services: Major financial institutions across North America and Europe
  • Education: Hundreds of U.S. universities and school districts
  • Critical infrastructure: Energy and utilities companies in multiple countries

Detection: What to Look For

Search IIS access logs for POST requests to /api/v1/account, /moveitisapi/moveitisapi.dll, or /human2.aspx from external IP addresses. Look for anomalous SQL error responses in application logs. The presence of any .aspx file in the MOVEit wwwroot directory that was not present at deployment time is a high-fidelity indicator of LEMURLOOT or equivalent web shell deployment.

Remediation and Hardening

  1. Apply Progress MOVEit patches immediately; multiple additional CVEs were disclosed after CVE-2023-34362
  2. Audit wwwroot for LEMURLOOT and any unexpected .aspx files
  3. Rotate all Azure Blob Storage keys associated with MOVEit
  4. Review MOVEit audit logs for large file downloads or bulk transfers
  5. Restrict MOVEit web interface access to the internet via firewall rules if external access is not required
  6. Require MFA for all MOVEit administrative accounts
  • MFT platforms are high-value targets because they store sensitive data in transit from multiple organizations simultaneously
  • Apply the same patching urgency to MFT platforms as to perimeter security devices
  • Include MFT vendors in your third-party security assessment program
  • Enable file integrity monitoring on MFT web root directories
  • Segment MFT servers from internal networks with strict egress filtering
  • Review what data categories flow through each MFT platform and apply controls proportional to sensitivity

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.