Zero-Day Exploitscritical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

A SQL injection zero-day in MOVEit Transfer — a file transfer application used by government agencies and major corporations — was exploited by the Cl0p ransomware group to steal data from over 2,700 organisations.

Progress Software / MOVEit·2023·2 min read

Attack Chain

  1. 1
    SQL injection in MOVEit Transfer
  2. 2
    Authentication bypassed
  3. 3
    File download endpoint abused
  4. 4
    Mass data exfiltration
  5. 5
    2,700 orgs affected
  6. 6
    Cl0p extortion campaign

Background

MOVEit Transfer is a managed file transfer application made by Progress Software, used by government agencies, financial institutions, healthcare providers, and large corporations to securely transfer sensitive files. Many organisations had exposed it to the internet.

The Attack

The Cl0p ransomware group discovered a SQL injection vulnerability in MOVEit's web application that allowed unauthenticated attackers to create admin accounts and download files. Rather than deploying ransomware immediately, they ran automated mass exploitation over a single weekend in late May 2023, exfiltrating data from thousands of organisations before the vulnerability was known. Victims included the US Department of Energy, Shell, British Airways, the BBC, Boots, Aer Lingus, the New York City school system, and hundreds of others.

Response

Progress Software released a patch on May 31, 2023, the same day it disclosed the vulnerability. CISA and international agencies issued emergency advisories. Victims received extortion demands from Cl0p threatening to publish stolen data unless paid.

Outcome

Over 2,700 organisations were breached, affecting approximately 93 million individuals. The attack cost an estimated $15 billion in total damages. It was the largest-ever mass exploitation of a single vulnerability, demonstrating that file transfer software is a critical attack surface for data theft.

Key Takeaways

  1. File transfer software exposed to the internet is extremely high-risk — restrict access with IP allowlisting and VPN
  2. Mass exploitation of zero-days can affect thousands of organisations before a patch exists
  3. Data-theft-only attacks (no encryption) can be as damaging as ransomware
  4. Have a rapid patch deployment process — hours matter in mass exploitation events
SQL injectionzero-dayCl0pfile transfermass exploitation

More in Zero-Day Exploits

2017critical

EternalBlue: NSA's Stolen Weapon Powers WannaCry, NotPetya, and Years of Attacks

2 min readZero-Day Exploits
2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2010critical

Operation Aurora IE Zero-Day: China Exploits Browser Flaw to Hack Google and 34 Others

2 min readZero-Day Exploits