MOVEit and Cl0p
A managed file-transfer tool sat between thousands of organizations and their payroll providers. The Cl0p gang found a zero-day in it and stripped them all in a weekend.
MOVEit Transfer is the kind of software most consumers will never see and most enterprises depend on without thinking about it. It is a managed file-transfer product used by banks, payroll providers, benefits administrators, and government agencies to move sensitive flat files between organizations every night.
A weekend with a zero-day
In late May 2023, the Russian-speaking ransomware crew Cl0p — by that point already several years into a career of extortion — used a previously unknown SQL injection flaw in MOVEit's web interface to deploy a web shell. From the shell, they pulled databases of stored file transfers and, in many cases, the files themselves.
What made the campaign unusually destructive was the topology. Many MOVEit deployments were operated by third-party providers — Zellis in the UK, PBI Research Services in the US — whose customers were entire ecosystems of other organizations. A single compromised MOVEit instance at a payroll vendor could expose every customer that vendor served, including their employees, retirees, and beneficiaries.
A long, slow naming
Cl0p chose not to encrypt anything. Instead, the group ran a months-long extortion campaign, periodically posting new victim names to its leak site: the BBC, British Airways, the US Department of Energy, the Louisiana Office of Motor Vehicles, hundreds of universities. The total count of affected organizations passed two thousand and continued climbing into 2024.
What the chronicle remembers
MOVEit dramatized a class of vendor that defenders had under-instrumented: the boring B2B file-transfer pipes. After Cl0p, the entire category got re-inventoried, and the implicit assumption that "we don't have data there" turned out, very often, to be wrong.