Cl0p Claims the MOVEit Attack; Heres How the Gang Did It

A researcher guides Dark Reading through the most important bits of Cl0ps latest exploit.

The Cl0p ransomware gang has claimed credit for
the breach of Progress Softwares MOVEit file transfer program
. Experts say the attack was not only successful —
affecting hundreds of million- and billion-dollar organizations
throughout the Western world — but also surprisingly simple.
Though researchers
initially tracked the MOVEit hackers as a novel group
,
on June 4 Microsoft attributed the attack
to an actor they trace as Lace Tempest, known for running the Cl0p extortion website. On the evening of June 6,
the Cl0p ransomware gang
confirmed Microsofts hypothesis, in
an announcement to affected organizations
. It also issued
an ultimatum
.
DEAR COMAPNIES., the actors wrote in broken English, THIS IS ANNOUNCEMENT TO EDUCATE COMPANIES WHO USE PROGRESS MOVEIT PRODUCT THAT CHANCE IS THAT WE DOWNLOAD A LOT OF YOUR DATA AS PART OF EXCEPTIONAL EXPLOIT.
The Cl0p connection, while dramatic, isnt surprising, says Louise Ferrett, threat intelligence analyst for Searchlight Cyber. We know that Cl0p has been exploiting file transfer solutions for a while now:
Accellion
, SolarWinds,
GoAnywhere
,
PaperCut
, and now MOVEit. They are the masters of this kind of attack.
What is unexpected, though, is that such a successful attack turned out to be so simple, as John Hammond, senior security researcher for Huntress, explains.
After days spent
unpacking the MOVEit vulnerability
,
CVE-2023-34362
, Hammond talked to Dark Reading about how Cl0p did it. Forgive me, he says over a Zoom call, I dont know how nerdy thisll get.
Hammond pulls up a virtual machine running an unpatched version of MOVEit, and logs in to show what the environment looks like before he does his magic. The objective: to upload a GIF from the movie Madagascar, no permissions necessary.
So the gimmick is: Are there any SQL injection vulnerabilities that we could go ahead and take advantage of and exploit? he explains.
Before running it in Command Prompt, he flashes the window containing his custom malicious script. Its short — maybe 100 lines, by the looks of it. Does this indicate that the attack was, actually, rather simple?
Correct, Hammond says, as he traces back the logic of his reverse engineering. So if someone goes through it with some due diligence — to try to understand the differences in deltas between the patch and the vulnerable versions — you can see whats removed, whats cleaned up, whats modified, and how Progress Software mitigated this threat.
And the logs of the original threat actor activity gives us at least a little bit of a breadcrumb to put the puzzle pieces together, and see what they were doing, he adds, as he pulls them up.
Its stealing the API tokens, and uploading files, as you can tell here. And then further on, theyll end up uploading their Web shell for persistence, he explains. The Web shell LEMURLOOT, under the file name human2.aspx, has been identified industry-wide as an indicator of compromise (IOC) for MOVEit victims.
Cl0p made liberal use of LEMURLOOT, though it isnt actually necessary to the attack chain. In
a version of an exploit demo
published after Hammonds conversation with Dark Reading, Huntress opted
the Meterpreter interactive shell
instead of LEMURLOOT, escalating to the system level of a virtual machine and then deploying a Cl0p ransomware payload.
Using straightforward SQL injection, the unauthorized Cl0p can masquerade as a guest user, exfiltrating files, uploading malware, or doing just about anything else within an unauthorized MOVEit environment.
To conclude his demonstration for Dark Reading, Hammond runs his script and refreshes the sample MOVEit window, this time revealing a new file: reMOVEit.gif.
Beyond the victims and the security community, a few cybercriminals have been asking questions about the MOVEit attack. Like in the following post (translated to English) that Mironescu and his colleagues stumbled upon, from a Russian Dark Web user interested in purchasing some stolen data.
Thereve been some other posts, but more limited in terms of scope. People have said theyre interested in the data, but they didnt provide a budget. We also saw one actor who expressed interest in the technical part — he was probably trying to engage in exploiting this vulnerability [himself], Ferrett posits.
Whether the vultures will get their scraps will be up to Cl0p. WE ARE THE ONLY ONE WHO PERFORM SUCH ATTACK, the group stated on June 6. Whether and how theyll monetize and possibly share in their winnings may become clear June 14th, when the group plans to start naming and shaming their stubborn victims.
For now, they advised victims to RELAX BECAUSE YOUR DATA IS SAFE. Not very reassuring.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cl0p Claims the MOVEit Attack; Heres How the Gang Did It