Threat Outlook for the MOVEit Vulnerabilities 

Over the previous two weeks, there have been three critical vulnerabilities disclosed impacting the MOVEit Transfer MFT solution developed by Ipswitch, a subsidiary of the Progress Software Corporation. Optiv’s Global Threat Intelligence Center (gTIC) has been tracking the updates and has provided our clients with up-to-date notifications and remediation guidance along the way. This blog post covers the latest information related to the vulnerabilities, targeting, and remediation and mitigation recommendations.




On May 31, 2023, Progress issued a security notice to users of MOVEit Transfer regarding a vulnerability that allows for privilege escalation and potential unauthorized access to the environment. According to the Center for Internet Security, MOVEit Transfer “allows enterprises to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.” CVE-2023-34362 is a SQL injection vulnerability that leads to remote code execution (RCE). Security researchers with Rapid7 reported 2,500 primarily U.S.-based exposed MOVEit Transfer servers with the same webshell located on all actively targeted devices. As BleepingComputer writes, “The web shell is named “human2.asp” and has been located in the c:\MOVEit Transfer\wwwroot\ public HTML folder…[W]hen the webshell is accessed and the correct password supplied, the script will execute various commands based on the value of the 'X-siLock-Step1', 'X-siLock-Step1', and 'X-siLock-Step3' request headers.” With these commands, threat actors can retrieve a list of stored files and identify who uploaded them and their file paths. They can also add and remove a MOVEit Transfer user, find information about the configured Azure Blob Storage account, and download server files.


Security researchers with Mandiant reported that the vulnerability had been actively exploited by the Clop ransomware operators (aka TA505, DEV-0950, Lace Tempest), with the earliest exploitation observed on May 27, 2023. However, other reports indicate that the vulnerability had been exploited as early as March 3, 2023. Researchers have observed threat actors deploying a webshell, LEMURLOOT, to steal sensitive data from targeted victims. The LEMURLOOT webshell is written in C# and designed to interact with the MOVEit Transfer platform.


On June 8, 2023, security researchers with Kroll reported that the Clop ransomware group has Likely had access to and has been looking for ways to exploit the vulnerability since 2021. This was determined based on the researchers’ log analysis of some clients’ compromised networks during the investigations of the Clop ransomware group attacks. While the Clop ransomware group conducted a mass exploit attack on May 27, 2023, it is Likely that the group has been actively targeting the vulnerability for the previous 24 months, collecting data and remaining undetected until the vulnerability was discovered.




On June 9, 2023, Progress issued an update to the security notice related to the MOVEit Transfer vulnerability, CVE-2023-34362, stating that the company partnered with third-party cybersecurity experts who identified additional vulnerabilities that threat actors could potentially exploit. Distinguishing from CVE-2023-34362, which was disclosed on May 31, 2023, Progress explains that attackers could leverage these new vulnerabilities to “submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.” This vulnerability reportedly affects all MOVEit Transfer versions and could also allow threat actors to access and steal sensitive information.




On June 15, 2023, Progress released another advisory warning of a new vulnerability affecting the MOVEit Transfer MTF software. Adversaries can leverage this vulnerability, CVE-2023-35708, to elevate privileges and potentially gain unauthorized access to the environment. The Progress advisory warned customers to restrict all HTTP access to their environments and implement the patch that became available today, June 16, 2023. Denying HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 would prevent users from being able to log into their accounts via the web UI. File transfers will still be available since the SFTP and FTP/s protocols will continue to work.



Clop Ransomware

On June 6, 2023, the Cl0p ransomware gang posted a message to their data leak site, CL0P^_- LEAKS, demanding that victims contact them before June 14, 2023, to negotiate extortion fees for deleting stolen data. Companies could then receive a small number of their stolen files as proof, after which they would have 3 days to discuss price. After 7 days, Cl0p would begin to publish a company’s data on the data leak site. Interestingly, the ransomware group includes a note at the bottom of their message stating that they have already deleted any city, government, and law enforcement data as they have “no interest” in publishing this type of data. Avoiding government and law enforcement agency targets is one method utilized by ransomware groups to avoid an increase in law enforcement attention.


On June 14, 2023, the Clop operators began naming companies on their data leak site CL0P^_- LEAKS. The group has not posted the purportedly stolen data and has begun listing the victims’ names, websites, phone numbers, and addresses. At the time of writing, the group has publicly named 39 victims. Of those 39, a few have been removed, indicating that these names were either mistakenly listed or the victims have initiated negotiations. It is Likely that the group will continue naming alleged victims on their data leak site over the next 30 days as they sort through the victim list and purportedly stolen data.



MoveIt Figure 1.png

Figure 1: Cl0p ransomware group’s extortion message Posted to CL0P^_- LEAKS


The Cl0p ransomware variant was first discovered in February 2019 as an updated version of the “CryptoMix” ransomware. Cl0p targets large enterprises across numerous global verticals. However, it is designed to terminate itself if the target is identified as an organization within Russia or another Commonwealth of Independent States (CIS) country.


The Clop ransomware group has historically taken advantage of transfer software and services to exfiltrate data and hold it for ransom. Among the hundreds of victims listed on the CL0P^_- LEAKS data leak site include those targeted in the December 2020 zero-day exploitation of Accellion FTA servers and the January 2023 exploitation of the GoAnywhere MFT zero-day. In these attacks, the Clop ransomware operators did not encrypt data and focused on data exfiltration. The group has targeted organizations in all verticals, but over the previous six months, they have focused on Industrials, financial services, healthcare, and technology organizations. Most of their victims have been located in North America (97), with a focus on the United States (82), followed by organizations based in Europe (30).



MoveIt Figure 2.png

Figure 2: Victims by vertical listed on Clop Ransomware data leak site January 01 – June 16, 2023


The graphic below illustrates the Optiv Threat Actor Metric for Cl0p ransomware. The Optiv Threat Actor Metric™ was developed by Optiv’s gTIC and is a multi-faceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function to the United States Department of Defense’s CARVER targeting scale.



MoveIt Figure 3.png

Figure 3: Threat Actor Metric Score for Clop Ransomware



Threat Outlook

Clop operators have grown a reputation for targeting this type of software by exploiting zero-day vulnerabilities and stealing sensitive data. It is Likely that additional threat actors will begin exploiting this vulnerability over the next 30 days. Additionally, it is Likely that other, lower-level threat actors will attempt to send scam emails purporting to have stolen data and demanding a ransom payment over the next 30 days.


Optiv’s Global Threat Intelligence Center (gTIC) assesses with High Confidence that the MOVEit Transfer vulnerability will continue to be exploited by threat actors in an attempt to steal sensitive information, credentials, and deploy malware over the next 30 days. Additionally, it is Likely that additional threat actors, including APT and cybercriminals, will begin targeting the vulnerability over the next 30 days.


Supply-chain attacks in which third-party software is compromised to infect multiple entities are Likely to increase over the next 12 months. Optiv’s gTIC assesses with High Confidence these will occur because of the increasing number of high-impact and high-visibility supply-chain attacks over the past three years.


An extreme case of where a high-level vulnerability resulted in a significant compromise was the July 2021 Kaseya supply-chain attack. This attack stemmed from a SQLi vulnerability in Kaseya’s VSA software that was exploited by cyber-criminals to deploy the REvil ransomware to hundreds of Kaseya’s customers via a fake software update.


Optiv’s gTIC assesses with High Confidence that adversary groups will rely on software and service providers’ websites for reconnaissance efforts to identify high-value targets that are listed on the providers’ webpage (see Figure 3). These webpages, like testimonials or “Who We Serve” sections, are used for marketing and lead generation but also provide valuable information to adversary groups during target selection.






  • Apply the appropriate patches to the MOVEit Transfer MFT software. There are options depending on whether you have applied the remediation and patching steps recommended to address the May 2023 CVE-2023-34362 vulnerability:

    • If you HAVE NOT applied the May 2023 patch: Follow all the remediation steps and patching in the following article: MOVEit Transfer Critical Vulnerability (May 2023) containing the latest patches, including the fix for the June 9 (CVE-2023-35036) vulnerability and the original vulnerability from May 31 (CVE-2023-34362). Then proceed to the following:
    • I have you HAVE applied the May 2023 patch and followed the remediation steps: Proceed to the Immediate Mitigation Steps and apply the June 15 patch (CVE Pending) as outlined below. You will then be up to date for the vulnerabilities announced on May 31 (CVE-2023-34362), June 9 (CVE-2023-35036) and June 15 (CVE-2023-35708).
    • If you HAVE applied May 2023 patch, followed the remediation steps, and applied the June 9 patch: Proceed to the Immediate Mitigation Steps and apply the June 15 patch (CVE-2023-35708) as outlined below. You will then be up to date for the vulnerabilities announced on May 31 (CVE-2023-34362), June 9 (CVE-2023-35036), and June 15 (CVE-2023-35708).


  • Disable all HTTP and HTTPS traffic to your MOVEit Transfer environment until the patch can be applied. Specifically, modify firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
  • Review, delete, and reset unauthorized files and user accounts, delete any instances of the human2.aspx and .cmdline script files. Look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory, and for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline.
  • Review logs for unexpected downloads of files from unknown IP addresses or large numbers of filed downloaded. Additionally, reset credentials for admins and service accounts for affected systems.
  • Be aware and on the lookout for extortion communications that are quarantined. Extortion emails may get blocked by email gateways or employees may ignore the email because it appears as spam. Consider the use of e-discovery searches and email quarantine reviews.
  • Admins that configured Azure API keys should rotate them as soon as possible to avoid use if an attacker were able to steal them.
  • Implement an IRP that includes how the data is backed up and how data can be restored, the process for notifying the appropriate team members and law enforcement, and methods to ensure business continuity.
  • Create a robust security awareness program that includes training on downloading software and how and when to report incidents and concerns to an incident response authority.





Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit