Résumé
Starting 27 May 2023, the Clop extortion gang mass-exploited a SQL-injection zero-day, CVE-2023-34362, in Progress MOVEit Transfer, a managed file-transfer product that organizations use to move sensitive files. Before any patch existed, Clop hit internet-facing MOVEit servers across the world, planting a web shell called LEMURLOOT and stealing the contents of the underlying databases. There was no encryption and no ransomware downtime: Clop simply exfiltrated data and extorted victims by threatening to publish it on its leak site. Because MOVEit sits at the data's edge and is used by vendors of vendors, a single product flaw cascaded to about 2,770 organizations and roughly 95 million people, including governments, banks, and household-name companies. Progress patched on 31 May 2023, after exploitation was already widespread. It is the lesson that managed file-transfer and other internet-facing data apps are prime mass-exploitation targets.
How it happened
Clop did not break into thousands of companies one at a time; it broke into one product they all used. MOVEit Transfer is a managed file-transfer (MFT) application: an internet-facing web app whose entire job is to hold and shuttle organisations' sensitive files. Clop had found a SQL-injection zero-day in it and, rather than use it quietly, sat on it and then unleashed it at scale on 27 May 2023, before Progress (MOVEit's maker) knew it existed. Microsoft tracks the gang as Lace Tempest, part of the long-running FIN11/TA505 cluster, and Mandiant found it had been testing the MOVEit bug as far back as 2021.
The injection let them plant a web shell, a malicious script named human2.aspx (which researchers dubbed LEMURLOOT), on each vulnerable MOVEit server. The web shell gave them the keys to the MOVEit database: it could authenticate inbound requests with a hard-coded password, enumerate and download the stored files, steal the credentials to any connected Azure Blob cloud storage, and even create a hidden administrator user. There was no ransomware and no encryption: Clop simply stole the data and moved to data extortion, naming victims on its leak site and demanding payment by a deadline to avoid publication. Progress shipped an emergency patch on 31 May, but by then the mass theft was done.
The damage
MOVEit became the largest data-theft campaign of 2023, and one of the largest ever. By the security firm Emsisoft's running tally it reached about 2,770 organisations and roughly 95 million individuals. The victim list reads like a directory of public life: US federal agencies and the Department of Energy, state motor-vehicle departments that lost millions of driver-license records, and the BBC, British Airways, Boots, and Aer Lingus, most of them hit not directly but through a single shared payroll provider, Zellis, whose MOVEit server was breached. That fourth-party risk, your data leaking through a vendor's vendor you never chose, was the campaign's defining feature. Coveware estimated Clop earned $75 to $100 million from it, most of that from a handful of large payers.
Why MOVEit still matters
MOVEit confirmed that managed file-transfer products are honeypots: internet-facing, packed with everyone's most sensitive files, and therefore irresistible. Clop had run the exact same play before, against Accellion's file-transfer appliance in 2020 and GoAnywhere MFT in early 2023 (around 130 organisations), and ran it again in late 2024 against Cleo's file-transfer software, because the target class is so rich. Two lessons stand out. First, data extortion without encryption means good backups do not save you; preventing the theft is the only defence. Second, fourth-party risk is real: your data can leak through a vendor's vendor you never chose. So minimise and purge what a file-transfer system holds, patch these edge apps on the fastest possible SLA, watch for web shells and anomalous database reads, and map your exposure to widely used products before the next one is mass-exploited. The underlying flaw is tracked separately as CVE-2023-34362.
Comment le corriger
- Patch MOVEit (CVE-2023-34362 and the follow-on SQL-injection CVEs) immediately, and take the server offline if you cannot patch fast.
- Hunt for the LEMURLOOT web shell and other persistence, and assume any data in the MOVEit database was taken.
- Rotate credentials, keys, and tokens stored in or reachable from the file-transfer system.
- Notify affected downstream parties; with a shared file-transfer product, your breach is also your customers' breach.
Comment l’éviter
- Treat internet-facing managed file-transfer and edge data apps as high-risk: minimal exposure, a fast vendor-patch SLA, and tight segmentation.
- Do not let a file-transfer box hold or reach more data than it must; purge transferred files promptly and minimize retention.
- Encrypt data at rest, and watch for web shells and anomalous database reads on these systems.
- Map your third-party and fourth-party exposure to widely used products like MOVEit, so you can react fast when one is hit.
- Prefer configurations that reduce internet-facing attack surface, and monitor vendor advisories for active zero-day exploitation.
Références
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
- https://cloud.google.com/blog/topics/threat-intelligence/zero-day-moveit-data-theft
- https://www.bankinfosecurity.com/data-breach-toll-tied-to-clop-groups-moveit-attacks-surges-a-23153
- https://www.theregister.com/2023/06/05/british_airways_boots_moveit/
- https://www.akamai.com/blog/security-research/moveit-sqli-zero-day-exploit-clop-ransomware
Vulnérabilités liées
Tout Supply chain →- MEDIUMGHSA-h4h3-3rfj-x6fq
SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field
- CRITICALCVE-2026-55447
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
- HIGHCVE-2026-22555
Gitea before 1.26.0 is missing a `CanCreateOrgRepo` permission check on its fork API (CVE-2026-22555). A user without permission to create repositories in an organization could fork into it and, in doing so, exfiltrate the organization's secrets. It is a broken-authorization flaw that leaks organization and CI/CD secrets to users who should not have access to them.
- LOWGHSA-g7r4-m6w7-qqqr
esbuild's development server (versions 0.27.3 up to but not including 0.28.1) allows arbitrary file read on Windows: a crafted request path can escape the served directory and read files elsewhere on disk. It affects the development server only, not production builds, but anyone running `esbuild --serve` on Windows is exposed to any local or networked attacker who can reach the server.
- CRITICALNPM-QIX-CHALK-DEBUG-2025
On 8 September 2025, the largest npm supply-chain attack ever by sheer reach hit foundational packages, chalk, debug, ansi-styles, strip-ansi, and 14 more, that together are downloaded over 2 billion times a week. The cause was a single phishing email. A respected maintainer was tricked by a fake "your npm 2FA is expiring" message into handing over his account, and the attackers published poisoned versions of his ultra-popular libraries. The payload was a crypto clipper: browser code that silently swapped any cryptocurrency address a user was sending to with the attacker's. Automated scanners flagged the poisoned versions within minutes and they were pulled within about two hours, and the actual theft came to roughly a thousand dollars, the one piece of good news in an attack that sat, briefly, under nearly the entire JavaScript ecosystem.
- CRITICALCVE-2024-23897
CVE-2024-23897 was a critical arbitrary file read vulnerability in the Jenkins automation server, identified by Sonar's Vulnerability Research and disclosed in the Jenkins security advisory on January 24, 2024, affecting Jenkins weekly up to 2.441 and LTS up to 2.426.2. Jenkins parses built-in CLI command arguments with the args4j library, whose expandAtFiles feature is enabled by default and replaces an argument that begins with an @ character followed by a file path with the contents of that file; because Jenkins never disabled this, an attacker could pass @/path/to/file as a CLI argument to make the controller read and disclose files from its filesystem. Unauthenticated attackers could read the first few lines of arbitrary files, while attackers with Overall/Read permission could read entire files, enabling theft of secrets, SSH keys, and credentials. The leaked binary secret keys could then be chained into full remote code execution by forging Remember-me cookies, abusing Resource Root URLs, bypassing CSRF protection, or decrypting stored secrets. The flaw was added to the CISA KEV catalog on August 19, 2024 and was actively exploited, including by the RansomEXX ransomware gang and the actor IntelBroker, and was linked to breaches at BORN Group and Brontoo Technology Solutions.