Clop Mass-Exploits MOVEit Transfer Zero-Day; Hundreds of Organizations Affected

The Clop ransomware crew has been mass-exploiting a previously undisclosed SQL injection vulnerability in Progress Software's MOVEit Transfer managed file transfer product to steal data from hundreds of organizations worldwide.

The flaw, tracked as CVE-2023-34362, allows unauthenticated attackers to inject SQL queries and gain code execution on internet-exposed MOVEit servers. Progress released an emergency patch on May 31, but security researchers say exploitation began as early as May 27.

Confirmed victims now include the BBC, British Airways, Aer Lingus, the U.S. Department of Energy, Shell, the Oregon and Louisiana motor vehicle agencies, several U.S. state pension funds, and TIAA. The number of affected organizations continues to grow as victims work through breach notification requirements.

Unlike its earlier campaigns, Clop has not deployed ransomware payloads — instead opting for a pure data-theft extortion model. The group has begun listing victim names on its dark-web leak site, demanding payment to prevent data publication.

"Mass exploitation of managed file transfer products is becoming a Clop signature," said Caitlin Condon, vulnerability research manager at Rapid7. "We saw it with Accellion FTA in 2021, with GoAnywhere MFT earlier this year, and now with MOVEit. These products are juicy targets because they're often internet-facing and routinely process sensitive bulk data transfers."

CISA has added the MOVEit vulnerability to its Known Exploited Vulnerabilities catalog and urged federal agencies to apply Progress's patch immediately. Two additional vulnerabilities in MOVEit have been patched since the initial disclosure.