FoxHat logoFoxHat
All articles
Incident analysis

MOVEit and Clop: how one SQL injection exposed 77 million people

The Clop ransomware gang exploited a zero-day SQL injection in Progress Software's MOVEit Transfer to breach over 2,600 organizations and steal data belonging to 77 million individuals. Here's how the attack unfolded.

FoxHat ResearchJune 12, 2024 7 min read

In late May 2023, the Clop ransomware gang began exploiting a critical zero-day vulnerability in MOVEit Transfer, a widely-used managed file transfer platform made by Progress Software. What started as a single SQL injection flaw quickly snowballed into one of the largest supply-chain breaches in history, affecting governments, universities, healthcare systems, and Fortune 500 companies.

2,618organizations confirmed breachedSource: Emsisoft / DataBreaches.net tally, 2024
77,000,000+individuals whose data was exposedSource: Emsisoft breach tracker
~5 dayswindow between first exploitation and public disclosureSource: Progress Software advisory timeline

The vulnerability: CVE-2023-34362

The flaw was a SQL injection vulnerability in MOVEit Transfer's web interface. An unauthenticated attacker could send a crafted request to alter database queries, ultimately gaining administrative access and deploying a webshell named LEMURLOOT. From there, Clop operators could list files, download data, and maintain persistence even after patching.

Why the blast radius was so large

MOVEit Transfer is not a niche product. It sits inside thousands of enterprises, government agencies, and service providers as the plumbing that moves sensitive files between organizations. When a hospital chain uses MOVEit to exchange patient records with insurers, and both sides are vulnerable, the breach cascades downstream. That is exactly what happened: a single vulnerable MOVEit server at a business-services provider could expose data belonging to dozens of that provider's customers.

Notable victims

  • U.S. Department of Energy and multiple federal agencies
  • British Airways, BBC, and Boots (via payroll provider Zellis)
  • Shell, Siemens Energy, and Schneider Electric
  • Major U.S. universities and state Medicaid agencies
  • Credit-rating agencies and financial services firms

The extortion playbook

Clop did not encrypt files in the traditional ransomware sense. Instead they exfiltrated data and posted a ticking-clock notice on their dark-web leak site: pay within a deadline or the stolen files go public. This double-extortion model is now standard, but the MOVEit campaign was distinguished by its scale and by the fact that many victims had no direct relationship with Progress Software — they were simply customers of a customer.

The defensive lesson is stark: a vulnerability in software you did not write, running on infrastructure you do not manage, can still expose your data to the open internet. External exposure detection that watches file-transfer endpoints, subdomain takeovers, and leaked credentials across your entire vendor graph is the only way to close that blind spot.

The Clop cybercrime gang's attacks on MoveIt Transfer customers have affected 2,095 organizations and 62,054,613 individuals.
TechTarget / Emsisoft, September 2023 — the count has since grown

See your exposure surface in 60 seconds

FoxHat continuously hunts your exposed repositories, assets, credentials, and secrets across the open and dark web.

Start free scan

Keep reading

Research

12.8 million secrets leaked on GitHub in 2023 — what the data tells us

Incident analysis

Five years, one GitHub key: the Toyota T-Connect leak in detail