.png)
MOVEit Breach 2023: How One Zero-Day Hit 1,000+ Organizations and Cl0p Made $100M
Breach Summary
The MOVEit Transfer mass exploitation in May–June 2023 is the largest single vulnerability exploitation event in documented history by number of affected organizations. The Clop ransomware group exploited a SQL injection zero-day in Progress Software's MOVEit Transfer file sharing platform, compromising over 1,000 organizations and exposing data belonging to tens of millions of individuals in a single coordinated campaign. The victims ranged from Shell and British Airways to the US Department of Energy and the personal data of 101,000 Oregon DMV customers.
MOVEit represents a paradigm shift in ransomware economics: rather than compromising organizations individually, Clop identified a single vulnerability in widely-deployed managed file transfer software and simultaneously exploited every internet-accessible instance in the world. The economics of mass exploitation — one vulnerability, thousands of victims, thousands of potential ransom demands — are fundamentally more efficient than targeted attack campaigns.
What Happened
What Happened
Clop ransomware group identified CVE-2023-34362 in Progress Software's MOVEit Transfer platform prior to public disclosure and weaponized it for a coordinated mass exploitation campaign. Beginning in late May 2023, Clop systematically scanned the internet for MOVEit Transfer instances and exploited the SQL injection vulnerability to extract data from each. The scale of the automated exploitation was extraordinary — Clop compromised over 1,000 organizations in a campaign that lasted days, not months. The affected organizations spanned every sector: government agencies, financial services firms, healthcare organizations, energy companies, technology companies, and professional services firms. Clop's business model for MOVEit differed from traditional ransomware: rather than encrypting data and demanding ransom for decryption keys, they focused on data exfiltration and extortion — threatening to publish sensitive data on their leak site unless organizations paid. Many organizations chose not to pay, and Clop published data from non-paying victims. The scale of simultaneous victims overwhelmed Clop's own extortion capacity — they could not negotiate with 1,000+ organizations simultaneously, and many victims did not engage with the extortion demand at all.
Attack Vector Detail
The Attack Vector: A Zero-Day in File Transfer Infrastructure
The vulnerability exploited — CVE-2023-34362 — was a SQL injection flaw in MOVEit Transfer's web interface. SQL injection is a category of vulnerability that has existed for over two decades and is prevented through standard secure coding practices. Progress Software's implementation of the MOVEit web interface contained an injectable SQL query that allowed unauthenticated attackers to extract data from the MOVEit database and, in some configurations, achieve remote code execution.
Clop had identified and weaponized this vulnerability before disclosure, exploiting it in a coordinated campaign that began in late May 2023. The attackers automated the exploitation to scan for and compromise internet-facing MOVEit Transfer instances at scale, extracting data from each. Because MOVEit is specifically designed for enterprise file transfer, the data stored in compromised instances was disproportionately sensitive: financial reports, HR records, healthcare data, government documents, and intellectual property transferred through the platform by organizations that used it as a secure file sharing solution.
Breach Pattern Timeline
Early 2023
Cl0p ransomware group (Russia-aligned criminal enterprise active since 2019) develops zero-day exploit for SQL injection vulnerability in Progress Software's MOVEit Transfer — a managed file transfer product used by thousands of organizations for sensitive data exchange.
May 27-28, 2023 (Memorial Day weekend)
Cl0p deploys mass exploitation of CVE-2023-34362 against internet-facing MOVEit Transfer instances globally. Attack timed to U.S. holiday weekend when defender response is slowest.
May 31, 2023
Progress Software discloses CVE-2023-34362 with CVSS score of 9.8 (Critical). Patches released same day. Cl0p has already exploited at scale.
June 7, 2023
Cl0p publicly claims responsibility for the campaign. Begins listing victims on its dark web leak site.
June-October 2023
Cl0p systematically extorts victims: pay ransom or have stolen data published. Confirmed victims include British Airways, BBC, U.S. Department of Energy, U.S. Department of Health and Human Services, Shell, Siemens Energy, and approximately 2,700+ organizations globally.
July 2023
Estimated 60+ million individuals affected via downstream organizations. Major U.S. state government victims include Oregon DMV, Louisiana OMV, and Maine state government — exposing driver's license data for tens of millions.
August 2023
Federal court of Cl0p victims consolidates litigation. Class actions filed against Progress Software, MOVEit operators, and downstream affected organizations.
October 2023
Total affected individuals exceed 84 million globally per Emsisoft tracking. CVE-2023-34362 added to CISA Known Exploited Vulnerabilities catalog. Mass exploitation campaign continues.
January-November 2024
Cl0p exploits additional zero-days in similar managed file transfer products — Cleo Harmony, VLTrader, LexiCom — establishing 'managed file transfer mass exploitation' as a recurring Cl0p strategy.
2024-2026
Affected count continues to climb past 95 million individuals. Class action litigation continues in U.S. federal courts. Estimated total breach-related costs across all affected organizations: $15+ billion.
Total impact: ~2,700+ organizations affected, 95+ million individuals exposed, $15B+ in collective remediation costs across victims, foundational precedent for managed file transfer software as a high-value attack surface and Cl0p's mass exploitation business model.
Executive Lessons
MOVEit established that file transfer infrastructure — often classified as utility software rather than security-critical infrastructure — can simultaneously expose thousands of organizations when a zero-day vulnerability is exploited at scale. The 1,000+ organizations affected in a single campaign, and the cascading downstream impact when large third-party administrators like Pension Benefit Information were compromised, demonstrated that MFT software exposure requires the same emergency response as remote access infrastructure.
Related Reading
Private Equity Implications
Private Equity Implications
The MOVEit breach has a specific PE dimension: due diligence targets that use managed file transfer software for sharing sensitive financial, legal, or HR documents — and that have not assessed whether their file transfer platforms are current and properly secured — may have experienced undisclosed data exposure. Post-acquisition security assessments of companies that used MOVEit Transfer during the 2023 exploitation window should include investigation of whether those instances were compromised and what data may have been exfiltrated. PE firms that use managed file transfer platforms for sharing deal documents, financial models, and portfolio company data should evaluate whether those platforms were affected by the MOVEit campaign and whether equivalent vulnerabilities exist in their current platforms.
How Cloudskope Can Help
Cloudskope's Third-Party Vendor Risk Assessment evaluates your critical vendors' internet-facing systems, file transfer platforms, and managed service technology stacks — identifying the vendor-side exposure that creates indirect breach risk for your organization regardless of the security of your own systems.