BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

MOVEit Transfer CVE-2023-34362: Cl0p's Mass Exploitation Playbook

Threat Intelligence

Cl0p exploited a SQL injection zero-day in Progress MOVEit Transfer over the U.S. Memorial Day weekend in 2023. By year-end, 2,700+ organizations and 90+ million individuals were affected. A look at the campaign mechanics and the fourth-party data exposure problem.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 24, 2024 · 9 min read

#moveit#cl0p#supply-chain#zero-day

Progress Software disclosed CVE-2023-34362 on May 31, 2023: a SQL injection vulnerability in MOVEit Transfer's web interface that allowed unauthenticated remote attackers to access the underlying database and stage arbitrary files. Mandiant, Huntress, and Microsoft confirmed within days that Cl0p had been exploiting the vulnerability since at least May 27, 2023, against thousands of internet-exposed MOVEit instances. By Q4 2023, the campaign had become the largest publicly documented file-transfer compromise in history.

Timeline of the campaign

Late 2022: Cl0p (Mandiant: FIN11) is believed to have discovered the SQL injection during a research effort targeting managed file transfer products. Earlier Cl0p campaigns had targeted GoAnywhere MFT (CVE-2023-0669) and Accellion FTA (CVE-2021-27101 series).
May 27 to 28, 2023: Mass scanning and exploitation of internet-facing MOVEit Transfer instances over the Memorial Day weekend in the U.S.
May 31, 2023: Progress releases the first advisory and a patch. Cl0p has by this point exfiltrated data from a large initial victim cohort.
June 7, 2023: Cl0p posts its first extortion list on its TOR leak site.
June to December 2023: Cl0p stages waves of victim names, including U.S. Department of Energy, Shell, BBC, British Airways, the State of Maine, and many universities and pension funds.
December 2023 to 2024: Long tail of disclosures continues as fourth-party data exposure (data held by victims about their own customers, vendors, and beneficiaries) gets unwound.

Root cause: SQL injection plus LEMURLOOT web shell

The exploit chain is straightforward. The MOVEit Transfer web component accepted attacker-controlled input that flowed into a SQL query against the MOVEit database. The query allowed attackers to read database contents and, more importantly, to write a custom web shell (named LEMURLOOT by Mandiant, sometimes 'human2.aspx') to the MOVEit webroot. With the web shell in place, the operator could enumerate transferred files, issue COPY operations to attacker-controlled storage, and clean up logs. The exfiltration was the file contents stored in MOVEit, not credentials or code.

What made the blast radius enormous

MOVEit Transfer is used by a specific kind of customer: organizations that move bulk regulated data with external parties. That includes payroll providers, pension administrators, healthcare claims processors, and government benefits operators. A single MOVEit instance at a payroll provider could hold data on hundreds of downstream client organizations. When Cl0p exfiltrated that instance, the victim count on the leak site was one organization, but the underlying affected individuals were employees of all the downstream clients. Zellis, a UK payroll provider, was one such case: their breach disclosure expanded into named victims at BBC, British Airways, and Boots.

Detection signals during the campaign window

Presence of human2.aspx, human.aspx with anomalous content, or any new ASPX in the MOVEit webroot after May 27, 2023.
Database queries on the MOVEit database containing UNION SELECT patterns originating from the application service account.
Outbound HTTPS to MEGA[.]nz, gofile[.]io, or any cloud storage URL not on your approved egress list, from the MOVEit server.
Sudden growth in MOVEit transferable directory contents read by the application user.

Lessons for managed file transfer audit

Three audit findings became standard in our 2024 client work because of MOVEit. First, managed file transfer products should not be internet-exposed without a strict WAF in front and IP allow-listing where partner topology allows. The MOVEit web interface did not need to be reachable from the entire internet for legitimate transfers to work. Second, file retention on the MFT must be aggressive: many MOVEit victims had files dating back years on the same server because no retention policy existed. Third, vendor-side audit of MFT products should include a specific question about input validation on file-search and folder-browse endpoints, which is exactly where CVE-2023-34362 lived.

2,700+

Organizations confirmed compromised

90M+

Individuals affected (low estimate)

CVSS 9.8

Initial CVE rating

$10B+

IBM-estimated total incident cost

MOVEit was not a supply chain attack in the SolarWinds sense. It was a supply chain attack in the data-flow sense: compromise one MFT instance and you compromise the customers of the customer of the customer.

The campaign also produced a useful regulatory artifact. The SEC's 2023 cyber disclosure rules came into effect in December, and several large MOVEit victims were among the first 8-K filers under the new rule. The disclosures showed how hard 'material impact' is to assess when the data was about your customers' customers. For practitioners writing breach playbooks in 2024, the MOVEit aftermath is the standard reference for what fourth-party disclosure looks like in practice.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.