MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)

§ Context

Assumed environment: target uses Progress MOVEit Transfer, internet-exposed, unpatched for CVE-2023-34362. MOVEit holds sensitive customer / employee files (its main use case).

§ Steps

1. 01
   Download every file in storageExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Leak-site ransom noteImpact

   T1486— Data Encrypted for Impact
3. 03
   .NET deserialisation chain → SYSTEMExecution

   W-DESER-NET— Deserialization — .NET BinaryFormatter / JSON.NET
4. 04
   Identify MOVEit by HTTP headersReconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
5. 05
   Webshell on the appliancePersistence

   W-WEBSHELL— Webshell Deployment
6. 06
   SQLi in /human.aspx → admin sessionInitial Access

   CVE-MOVEIT— MOVEit Transfer SQLi → Deserialisation (CVE-2023-34362)

§ References

• T1041Exfiltration Over C2 Channel
• T1486Data Encrypted for Impact

§ Frequently asked

What is the "MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)" attack path?

Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Download every file in storage (T1041) — a exfiltration primitive. Assumed environment: target uses Progress MOVEit Transfer, internet-exposed, unpatched for CVE-2023-34362.

What is the final impact of this kill-chain?

The final step lands on SQLi in /human.aspx → admin session (CVE-MOVEIT), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Origin IP bypass → direct attack on backend

  Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

  Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.

• Shared techniques2

  Uninitialised UUPS proxy implementation → brick contracts

  UUPS upgradeable contracts must initialise the implementation contract itself. If skipped, anyone can call `initialise()` and become its owner — then call `selfdestruct` to brick every proxy referencing it (Parity Multisig 2017).

• Shared techniques2

  Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

  Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.

• Shared techniques2

  Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

  Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.