Answer Brief
A joint CISA and FBI advisory details how the CL0P ransomware group (also tracked as TA505) exploited a previously unknown SQL injection flaw (CVE-2023-34362) in Progress Software’s MOVEit Transfer managed file transfer (MFT) product to implant a web shell (“LEMURLOOT”) and exfiltrate data from underlying databases. The advisory frames MOVEit as the latest example of a broader TA505 pattern: targeting internet-facing MFT platforms with zero-day exploits (Accellion FTA in 2020–2021, GoAnywhere MFT in early 2023, and MOVEit in May 2023) to conduct large-scale theft and extortion—often emphasizing data exfiltration over encryption.
Executive Summary: A joint CISA and FBI advisory details how the CL0P ransomware group (also tracked as TA505) exploited a previously unknown SQL injection flaw (CVE-2023-34362) in Progress Software’s MOVEit Transfer managed file transfer (MFT) product to implant a web shell (“LEMURLOOT”) and exfiltrate data from underlying databases. The advisory frames MOVEit as the latest example of a broader TA505 pattern: targeting internet-facing MFT platforms with zero-day exploits (Accellion FTA in 2020–2021, GoAnywhere MFT in early 2023, and MOVEit in May 2023) to conduct large-scale theft and extortion—often emphasizing data exfiltration over encryption.
Why It Matters
CISA and the FBI characterize the MOVEit incident as more than a single-product vulnerability: it is an example of an operational playbook where internet-facing managed file transfer systems become high-leverage collection points for sensitive data. MFT platforms sit at a choke point for business processes (third-party transfers, B2B exchange, batch jobs, regulated data movement), and the advisory underscores how CL0P/TA505 repeatedly targets these systems using zero-days to gain rapid, scalable access to datasets suitable for extortion.
The advisory’s technical narrative explains why MOVEit exploitation mapped well to mass theft. After gaining initial access through SQL injection (CVE-2023-34362), the attackers deployed LEMURLOOT, a C# web shell tailored to MOVEit Transfer. CISA/FBI report that LEMURLOOT can authenticate using a generated password and accept commands via a specific HTTP header, and it can query and enumerate the underlying SQL database. Critically for cloud and hybrid environments, the advisory notes functionality to retrieve Microsoft Azure-related settings and Blob Storage configuration/keys from MOVEit system settings—highlighting how compromise of an on-prem or hosted transfer application can become a pivot into cloud storage access paths without “moving laterally” in the traditional endpoint sense.
From an infrastructure risk perspective, the CISA/FBI write-up also signals a shift in extortion economics. The advisory notes that in campaigns beginning in 2021, CL0P “preferred to rely mostly on data exfiltration over encryption.” That preference increases the likelihood that organizations will see impacts centered on data exposure, executive-targeted extortion communications, and downstream third-party notifications—especially when MFT systems consolidate transfers for multiple business units or external partners.
Operationally, the key global takeaway is that the same threat actor has demonstrated repeatable zero-day capability and targeting focus across multiple MFT vendors (Accellion, GoAnywhere, MOVEit). That pattern suggests defenders should treat internet-facing file transfer services as high-risk infrastructure, with security posture assumptions closer to externally exposed identity or remote access systems than to “internal tools.” CISA/FBI further warn that, given TA505’s speed and prior campaigns, they expected widespread exploitation of unpatched services across both public and private networks.
This advisory is historical but remains strategically relevant for security, cloud, and infrastructure teams because it documents an attacker’s end-to-end monetization pattern: exploit-at-scale → implant web shell designed for the platform → extract database content and potentially cloud storage configuration → pressure executives using stolen-file proof → publish on leak site if unpaid. Even where patches are long deployed, the described TTPs and IOCs provide durable detection and threat modeling value for organizations that still operate MFT or similar data-movement middleware.
Event Type: security
Importance: high
Affected Companies
- Accellion
- CISA
- FBI
- Fortra
- Linoma Software
- Progress Software
Affected Sectors
- Cloud Security
- Cybersecurity
- Infrastructure
- Managed File Transfer (MFT)
- Risk & Compliance
Key Numbers
- CISA advisory alert code: AA23-158A
- Initial exploitation reported by open sources (per CISA/FBI): May 27, 2023
- CISA KEV catalog add date for CVE-2023-34362: June 2, 2023
- Advisory release date: June 7, 2023
- Advisory update date: June 16, 2023
- GoAnywhere campaign impact claimed by CL0P (per advisory): ~130 victims over ~10 days
- TA505 compromise estimate cited in advisory: >3,000 U.S.-based orgs and 8,000 global orgs (estimate)
Timeline
- TA505/CL0P conducted zero-day exploitation campaigns against Accellion File Transfer Appliance (FTA) and used the DEWMODE web shell (per CISA/FBI).
- CL0P launched a zero-day campaign against GoAnywhere MFT (CVE-2023-0669), claiming data exfiltration impacting ~130 victims over ~10 days (per advisory).
- CL0P/TA505 began exploiting MOVEit Transfer via a previously unknown SQL injection vulnerability (CVE-2023-34362), installing the LEMURLOOT web shell and stealing data (per open source information cited by CISA/FBI).
- CISA added CVE-2023-34362 to the Known Exploited Vulnerabilities (KEV) Catalog (per advisory).
- CISA and FBI published AA23-158A with IOCs/TTPs and mitigations for CL0P activity targeting MOVEit Transfer.
- CISA re-released the CSA to remove older GoAnywhere campaign IPs and add new IP addresses (per advisory update note).