Anatomy of a Breach

Anatomy of a Breach: MOVEit Transfer — Cl0p's Mass Exploitation Campaign That Hit 2,500 Organisations

> series: anatomy_of_a_breach —— part: 173 —— target: moveit_transfer —— attacker: cl0p —— organisations: 2,500+ —— people: 60,000,000+<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2023 15 min read
moveit clop sql-injection zero-day supply-chain mass-exploitation mft series
Breach #173

2,500 organisations. 60 million people. Through a file transfer tool. SQL injection. In 2023.

In late May 2023, the Cl0p ransomware group began mass-exploiting CVE-2023-34362 — a critical SQL injection vulnerability in MOVEit Transfer, a managed file transfer (MFT) application developed by Progress Software. MOVEit Transfer is used by thousands of organisations — including government agencies, financial institutions, healthcare providers, and enterprises — to exchange sensitive files securely. Cl0p had identified and begun exploiting the vulnerability before it was publicly disclosed, deploying web shells on vulnerable servers and systematically exfiltrating data.

The scale was staggering: over 2,500 organisations and more than 60 million individuals were affected worldwide. Victims included Shell, Ernst & Young, PwC, the US Department of Energy, the Oregon and Louisiana Departments of Motor Vehicles, multiple US government agencies, and — critically for the UK — the BBC, British Airways, Boots, and Ofcom. Cl0p did not encrypt files (as traditional ransomware does) but instead exfiltrated data and demanded payment to prevent publication — a pure extortion model. The campaign was the most impactful mass exploitation event since SolarWinds/Sunburst (2020).

SQL Injection — Year Fifteen
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

SQL injection. In a file transfer tool. In 2023. Still.

The MOVEit vulnerability was SQL injection — the same vulnerability class that has appeared in virtually every year of this series since Heartland Payment Systems (2008). From Heartland through TalkTalk (2015), VTech (2015), and now MOVEit (2023) — SQL injection has been the most persistent, most exploitable, and most preventable vulnerability class in the history of cybersecurity. Fifteen years later, it remains capable of compromising 2,500 organisations simultaneously.

SQL Injection — Fifteen Years and Counting
SQL injection first appeared in this series in 2008 (<a href="/blog/anatomy-of-a-breach-heartland-payment-systems">Heartland</a>) and has appeared in nearly every year since. The MOVEit breach proved it remains capable of powering the largest breaches of 2023. Our <a href="/penetration-testing/web-application">web application penetration testing</a> tests for SQL injection on every engagement — because fifteen years of evidence proves it will be found.
Managed File Transfer as Target
MOVEit Transfer is specifically designed for the secure exchange of sensitive files — making it a high-value target containing concentrated sensitive data. Cl0p had previously exploited vulnerabilities in GoAnywhere MFT (another file transfer tool) in January 2023, establishing a pattern of targeting MFT platforms. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses file transfer platform security.
Web Shells for Persistent Access
Cl0p deployed web shells on compromised MOVEit servers — providing persistent access even after the vulnerability was patched. As with the <a href="/blog/anatomy-of-a-breach-hafnium-exchange">Hafnium/Exchange</a> (2021) attacks, patching alone is insufficient — organisations must also check for post-exploitation artefacts. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects web shell installation and usage.
Extortion Without Encryption
Cl0p did not deploy ransomware — it exfiltrated data and demanded payment to prevent publication. This 'extortion-only' model is increasingly common because it avoids the operational disruption that triggers rapid incident response, allowing attackers to steal more data before detection. <a href="https://www.socinabox.co.uk/blog/data-loss-prevention-small-business">Data loss prevention</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects mass data exfiltration.
Lessons

SQL injection. Fifteen years. 2,500 organisations. Test your applications.

The MOVEit breach is the single most powerful argument for continuous web application testing in the history of cybersecurity. SQL injection — a vulnerability class that has been documented, understood, and preventable for over twenty years — compromised 2,500 organisations and exposed 60 million people in 2023. Web application penetration testing finds SQL injection. Vulnerability scanning identifies unpatched MOVEit and other MFT platforms. Cyber Essentials mandates 14-day patching. SOC in a Box detects exploitation and data exfiltration. And UK Cyber Defence provides incident response when file transfer platforms are compromised.

Test for SQL Injection

SQL injection. 2023. 2,500 organisations. 60 million people. Have your web applications been tested?

Our <a href="/penetration-testing/web-application">web application testing</a> finds SQL injection. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched platforms. <a href="/cyber-essentials">Cyber Essentials</a> mandates patching.

Commission a Web Application Test Next: MOVEit UK Impact
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 July 2021

Anatomy of a Breach: Kaseya VSA — REvil's Supply Chain Ransomware Attack on 1,500 Businesses

Breach #151. On 2 July 2021, REvil ransomware exploited zero-day vulnerabilities in Kaseya VSA — a remote monitoring and management (RMM) platform used by managed service providers (MSPs) to manage their clients' IT systems. By compromising Kaseya, the attackers gained access to the MSPs' client networks, deploying ransomware to approximately 1,500 businesses worldwide — including the Swedish supermarket chain Coop, which was forced to close 800 stores. REvil demanded $70 million for a universal decryptor. The attack combined supply chain compromise with ransomware at a scale never previously achieved.

ransomware kaseya
14 min read
Anatomy of a Breach 31 March 2021

Anatomy of a Breach: Microsoft Exchange and Hafnium — 250,000 Servers Compromised in a Global Mass Exploitation Event

Breach #147. In March 2021, Microsoft disclosed that Hafnium — a Chinese state-sponsored threat group — had been exploiting four zero-day vulnerabilities in Microsoft Exchange Server (collectively known as ProxyLogon) to compromise on-premises Exchange servers worldwide. The vulnerabilities allowed unauthenticated remote code execution, enabling attackers to access email, install web shells for persistent access, and move laterally through networks. An estimated 250,000 Exchange servers globally were compromised before patches were applied — including thousands of UK organisations. The mass exploitation was indiscriminate: once the vulnerabilities became public, multiple threat groups began scanning and exploiting every unpatched Exchange server on the internet.

microsoft-exchange hafnium
14 min read
Anatomy of a Breach 31 October 2025

Anatomy of a Breach: The Salesforce Ecosystem Breach — 200+ Companies Hit Through a Third-Party Integration

Breach #202. In October-November 2025, a breach of the Salesloft Drift chatbot integration within the Salesforce ecosystem exposed data from over 200 companies — including major corporations across automotive, aviation, security, and fintech sectors. The attackers exploited a vulnerability in the third-party integration to access CRM data including customer records, sales pipelines, support tickets, and internal communications stored in Salesforce instances. The breach has been described as the 'SolarWinds moment for SaaS' — demonstrating that third-party integrations within SaaS platforms create supply chain risk at a scale the industry had not previously confronted.

salesforce salesloft
14 min read
All Posts Get in Touch