What is the Cl0p APT group's MoveIT vulnerability attack?

The Cl0p Advanced Persistent Threat (APT) group exploited a SQL Injection vulnerability in the MoveIT application from Progress Software. This vulnerability, published as a CVE on June 1st, allows attackers to compromise systems used for inter-organizational file transfers. The attack has impacted both public and private organizations, including government agencies and major enterprises such as British Airways and the BBC.

How did Cymulate respond to the Cl0p MoveIT attacks?

Cymulate responded rapidly by creating and releasing an Immediate Threat Assessment for its Breach and Attack Simulation (BAS) platform. This assessment enables organizations to test whether their security controls can detect the specific Indicators of Compromise (IOCs) associated with the Cl0p attacks, including known executables and Command and Control (C2) IP addresses/URLs. Cymulate continues to update its platform with new simulation objects as the threat evolves.

What should Cymulate customers using MoveIT do in response to the Cl0p attacks?

Cymulate customers using MoveIT are strongly encouraged to run the Immediate Threat Assessment available in the platform to verify their security controls against the latest IOCs. Customers should also monitor the Immediate Threats Assessment feed for new variants and follow CISA's advisory to mitigate the vulnerability, then re-test with Cymulate to confirm the effectiveness of their mitigation efforts.

How does Cymulate keep its platform updated with emerging threats like Cl0p?

Cymulate continuously monitors the threat landscape through its Research Lab and updates the platform with new Immediate Threat Assessments and simulation objects as new threats emerge. This ensures customers can validate their defenses against the latest attack techniques and indicators.

Where can I find official advisories and updates related to the MoveIT vulnerability?

Official advisories and updates can be found on the Cybersecurity & Infrastructure Security Agency (CISA) website, including the advisory released on June 1st, 2023. Cymulate also provides ongoing updates and guidance through its platform and blog.

What is an Immediate Threat Assessment in Cymulate?

An Immediate Threat Assessment is a simulation module in Cymulate's BAS platform that allows organizations to test their security controls against the latest real-world threats, including specific attack techniques, IOCs, and malware used in active campaigns like the Cl0p MoveIT attacks.

How does Cymulate help organizations confirm their mitigation efforts are effective?

Cymulate enables organizations to re-test their security controls after applying mitigations by running updated Immediate Threat Assessments. This ensures that the applied fixes are effective against the latest attack variants and techniques.

Who are the Cymulate Research Lab and what is their role?

The Cymulate Research Lab is a team of experienced security researchers with backgrounds in private security, military, and intelligence. They continuously analyze the cyber-threat landscape and deliver in-depth visibility into current threats, supporting the development of Cymulate's simulation content and threat intelligence.

How can I learn more about Cymulate's Exposure Validation capabilities?

You can learn more about Cymulate's Exposure Validation by visiting the official data sheet at https://cymulate.com/data-sheet/exposure-validation/ or exploring the platform overview at https://cymulate.com/platform/.

Where can I find more resources and case studies about Cymulate's effectiveness?

Cymulate provides a wide range of resources, including case studies, whitepapers, and solution briefs, in its Resource Hub at https://cymulate.com/resources/. Featured case studies include organizations like Banco PAN and RBI, which have used Cymulate to optimize security controls and validate SIEM detection.

What are the key features of Cymulate's Exposure Management Platform?

Cymulate's Exposure Management Platform offers continuous threat validation, breach and attack simulation (BAS), continuous automated red teaming (CART), exposure prioritization, attack path discovery, automated mitigation, and cloud validation. The platform provides actionable insights, measurable outcomes, and integrates with a wide range of security controls.

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with numerous security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, CrowdStrike Falcon, Crowdstrike Falcon LogScale, and Cybereason. For a full list, visit Cymulate's Partnerships and Integrations page.

How does Cymulate automate security validation?

Cymulate automates security validation by running 24/7 attack simulations, automating offensive testing, and integrating with security controls to push threat updates and build custom detection rules. This reduces manual effort and enables continuous validation of defenses.

What is Cymulate's Immediate Threat Assessment feed?

The Immediate Threat Assessment feed is a continuously updated stream of the latest threat simulations and indicators, allowing customers to test their defenses against newly discovered threats and attack variants as soon as they are identified by Cymulate's Research Lab.

How does Cymulate help with lateral movement attack prevention?

Cymulate's Attack Path Discovery module automates testing for lateral movement and privilege escalation. For more information, see the blog post 'Stopping Attackers in Their Tracks' at https://cymulate.com/blog/mitigate_lateral_movement_iam_network_segmentation/.

What technical documentation is available for Cymulate?

Cymulate offers whitepapers, guides, solution briefs, data sheets, and e-books covering topics such as exposure management, CTEM, threat detection, vulnerability management, and attack path discovery. Access these resources at https://cymulate.com/resources/.

How often is Cymulate's platform updated?

Cymulate updates its SaaS platform every two weeks, adding new features such as AI-powered SIEM rule mapping and advanced exposure prioritization to ensure customers have access to the latest capabilities.

What is Cymulate's approach to cloud security validation?

Cymulate provides dedicated validation features for hybrid and cloud environments, integrating with cloud security tools like AWS GuardDuty and Check Point CloudGuard to simulate and validate cloud-specific threats and exposures.

How does Cymulate support detection engineering?

Cymulate enables organizations to build, tune, and test SIEM, EDR, and XDR detection rules, improving mean time to detect and ensuring that detection capabilities are effective against real-world threats. For more, see the Detection Engineering solution brief at https://cymulate.com/solution-brief/detection-engineering/.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as finance, healthcare, retail, media, and transportation. Organizations of all sizes, from small businesses to enterprises with over 10,000 employees, can benefit from Cymulate's platform.

What business impact can customers expect from Cymulate?

Customers typically see a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. Cymulate also enables 40X faster threat validation and significant time savings when testing new threats.

What problems does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers by providing continuous threat validation, actionable insights, and unified exposure management.

How does Cymulate tailor its solutions for different security roles?

Cymulate provides validated exposure scoring and metrics for CISOs, automates processes for SecOps teams, offers scalable offensive testing for red teams, and consolidates vulnerability insights for vulnerability management teams. Each persona receives tailored features and reporting to address their unique challenges.

What customer feedback has Cymulate received about ease of use?

Customers consistently praise Cymulate for its intuitive design, ease of deployment, and user-friendly dashboard. Testimonials highlight the platform's simplicity, practical insights, and excellent support, making it accessible even for teams with limited resources.

How quickly can Cymulate be implemented?

Cymulate can be implemented rapidly, often in just a few clicks. Customers report a fast and straightforward deployment process, with agentless mode and minimal resource requirements, allowing organizations to start running simulations almost immediately.

What support resources are available for Cymulate customers?

Cymulate provides comprehensive support, including email and chat support, webinars, e-books, a knowledge base, and a Resource Hub with technical documentation and best practices to ensure a smooth onboarding and ongoing experience.

How does Cymulate help organizations move from reactive to proactive security?

Cymulate enables organizations to proactively validate their security posture, prioritize vulnerabilities, and continuously improve defenses through automated simulations and actionable insights, shifting from reactive incident response to proactive threat management.

What is Cymulate's mission and vision?

Cymulate's mission is to revolutionize cybersecurity by empowering organizations to proactively manage their security posture and improve resilience against threats. The company fosters a collaborative environment and continuously innovates to help customers stay ahead of emerging risks.

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating compliance with industry standards for security, privacy, and cloud services. For more details, visit Security at Cymulate.

How does Cymulate ensure data security and privacy?

Cymulate hosts its services in secure AWS data centers, uses strong encryption (TLS 1.2+ for data in transit, AES-256 for data at rest), and follows a strict Secure Development Lifecycle (SDLC). The company also complies with GDPR and employs a dedicated privacy and security team, including a DPO and CISO.

What is Cymulate's approach to compliance with international standards?

Cymulate maintains compliance with internationally recognized standards such as ISO 27001:2013 for information security management, ISO 27701 for privacy information management, and ISO 27017 for cloud security. The company undergoes regular audits and third-party assessments to ensure ongoing compliance.

How does Cymulate protect customer data in the cloud?

Cymulate's services are hosted in secure AWS data centers with multiple data locality options, strong physical security, encryption for data in transit and at rest, and high availability through redundancy and disaster recovery planning.

Does Cymulate comply with GDPR?

Yes, Cymulate incorporates data protection by design and complies with GDPR requirements. The company has a dedicated privacy and security team, including a Data Protection Officer (DPO), to oversee compliance and privacy practices.

How does Cymulate compare to AttackIQ?

Cymulate offers a larger threat scenario library and AI-powered capabilities for workflow automation and security posture improvement. AttackIQ focuses on automated security validation but does not match Cymulate's innovation, threat coverage, or ease of use. Read more.

What differentiates Cymulate from Mandiant Security Validation?

Mandiant is an original BAS platform but has seen limited innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management and being recognized as a grid leader. Read more.

How does Cymulate compare to Pentera?

Pentera is useful for attack path validation but lacks the depth Cymulate provides for comprehensive exposure validation and defense optimization. Cymulate scales offensive testing and increases exposure awareness. Read more.

What makes Cymulate different from Picus Security?

Picus may suit organizations seeking an on-prem BAS vendor. Cymulate offers a more complete exposure validation platform, covering the full kill chain and cloud control validation. Read more.

How does Cymulate compare to SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, precision, and automation, featuring the industry’s largest attack library, a full CTEM solution, and comprehensive exposure validation. Read more.

What is the difference between Cymulate and Scythe?

Scythe is suitable for advanced red teams building custom attack campaigns. Cymulate provides a more comprehensive exposure validation platform with actionable remediation and automated mitigation. Read more.

How does Cymulate compare to NetSPI?

NetSPI excels in penetration testing as a service (PTaaS), while Cymulate is designed for continuous, independent assessment and strengthening of defenses, recognized as a leader in exposure validation by Gartner and G2. Read more.

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected for simulation. For a personalized quote, schedule a demo at https://cymulate.com/schedule-a-demo/.

How can I get a quote for Cymulate?

You can get a detailed quote based on your organization's requirements by scheduling a demo with Cymulate's team at https://cymulate.com/schedule-a-demo/.

Where can I find Cymulate's Resource Hub?

The Resource Hub, containing whitepapers, guides, solution briefs, data sheets, e-books, and more, is available at https://cymulate.com/resources/.

How can I stay updated with Cymulate's latest news and research?

Stay informed by visiting Cymulate's company blog for the latest threats and research, and the Newsroom for media mentions and press releases.

Where can I find Cymulate's blog?

Cymulate's blog, featuring analysis of the latest threats and research, is available at https://cymulate.com/blog/.

What information is required to subscribe to the Cymulate blog?

To subscribe to the Cymulate blog, you need to provide your full name, email address, and country of residence. For more details, see the privacy policy.

Does Cymulate have a newsroom?

Yes, Cymulate's newsroom features media mentions, bylines, and press releases in leading publications. Visit https://cymulate.com/news/ for the latest updates.

When was Cymulate founded?

Cymulate was established in 2016 and has since grown to serve over 1,000 customers in 50 countries, with a presence in 8 global locations.

What is Cymulate's mission?

Cymulate's mission is to revolutionize how companies approach cybersecurity by fostering a proactive stance against threats and empowering organizations to manage their security posture effectively.

Cl0p APT Group Exploits MoveIT Vulnerability

By: Cymulate Research Lab

Last Updated: March 17, 2026

Cymulate has been closely following the recent string of attacks by the cl0p Advanced Persistant Threat (APT) group leveraging the recent vulnerability found in the MoveIT application from Progress Software. Originally published on June 1st as a CVE, the vulnerability involves a weakness against SQL Injection attacks in the MoveIT platform, which is often visible to the outside world to facilitate inter-organizational file transfers.

The Cybersecurity & Infrastructure Security Agency (CISA) – the US Federal cybersecurity agency – released an Advisory on June 1st to alert US Federal and State governments about the likelihood of attack with this vulnerability.

Widespread Impact in the UK

The United Kingdom began reporting incursions of the cl0p APT group on June 7th and 8th using exploits against the vulnerability in MoveIT after the ransomware group publicly stated that Government agency systems had been compromised, including systems used by British Airways and the British Broadcasting Company (BBC). The statements from cl0p included ultimatums for these organizations to pay the ransom or risk extensive downtime and data compromise.

Confirmed Breach of U.S. Federal Agency

On June 15th, Cymulate was able to confirm that at least one US Federal Agency, the Department of Energy, was partially compromised by the cl0p APT group through the use of the MoveIT vulnerability. See also, Christian Vasquez of CyberScoopNews, Poitico, and the Electronic Frontier Foundation. As this attack is ongoing, the extent of the compromise, and the potential that other Agencies were also successfully attacked is not yet fully known. CISA has not provided comment on this ongoing attack activity beyond referring to their Advisory of June 1st.

This escalation of activity indicates that private and public organizations in the US are likely to see scanning traffic and active attempts to perform ransomware attacks against critical infrastructure in the coming days and weeks.

Cymulate’s Immediate Response

Shortly after the UK attacks were confirmed, Cymulate created and released an Immediate Threat Assessment to allow organizations who use the Cymulate Breach and Attack Simulation (BAS) platform to confirm that security controls are able to recognize the Indicators of Compromise involved in the attacks seen so far. This Immediate Threat Assessment includes the known executables and other file components as well as the known Command and Control (C2) IP addresses/URL’s used by the group for this specific attack.

Cymulate customers who use MoveIT by Progress Software are strongly encouraged to run the existing Immediate Threat Assessment as soon as possible, and to closely watch the Immediate Threats Assessment feed for new variants as they are discovered. MoveIT customers should also immediately review the Advisory from CISA and take steps to mitigate against the exploitability of this vulnerability, then re-test with Cymulate to confirm the mitigation has had the desired impact.

As with any emergent threat activity known to be in active use by threat actors, Cymulate will continue to monitor the situation and update the Cymulate Platform with additional simulation objects such as Immediate Threat Assessments as the situation warrants.

Our highly experienced and diverse researchers are fluent in security intelligence practices, combining expertise in private security, military, and intelligence experience. Continuously examining the cyber-threat landscape, our experts deliver in-depth visibility into today’s threats and the actors behind them.

More about Author

Table of Contents

Widespread Impact in the UK Confirmed Breach of U.S. Federal Agency Cymulate’s Immediate Response

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

Webinar

Cymulate Stories: A Fireside Chat with Morgan Street Holdings

Many organizations still manage cyber risk using reactive security practices that struggle to keep pace with today’s threat landscape. As

Watch Now

blog

The Race to Ship AI Tools Left Security Behind. Part 1: Sandbox Escape

AI tools shipped fast - but weak sandboxing left escape paths, exposing systems to data access, abuse, and full compromise.