AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

CL0P MOVEit Transfer Mass Exploitation

CL0P's MOVEit activity showed how exploitation of a managed file-transfer product could turn into mass data theft, extortion, and downstream victim notification at unusual scale.

CISAConfidence: high
T1190T1505.003T1041T1567

How The Activity Unfolds In ATT&CK

The MOVEit activity starts with exploitation of a public-facing application, then turns the managed transfer environment into a data theft channel.

  1. T1190 Exploit Public-Facing Application. Exposed MOVEit servers become the initial access point.
  2. T1505.003 Web Shell. Web shell behavior supports interaction with the compromised application.
  3. T1041 Exfiltration Over C2 Channel. The actor removes data from compromised infrastructure.
  4. T1567 Exfiltration Over Web Service. Web-accessible transfer infrastructure becomes part of the theft path.

Defender Readout

This activity is a top case for third-party application exposure, managed file-transfer monitoring, and rapid scoping of data access after exploitation.

Evidence And Mapping Rationale

T1190Exploit Public-Facing Application
MOVEit Transfer

CISA describes exploitation of a public-facing MOVEit Transfer application.

T1505.003Web Shell
web shell

The advisory documents web shell activity following exploitation.

T1041Exfiltration Over C2 Channel
exfiltration

The campaign centered on theft of data from compromised file-transfer environments.

T1567Exfiltration Over Web Service
data exfiltration

Exfiltration through web services is an appropriate ATT&CK mapping for the managed transfer data theft path.