threatintel
actor tracker
Named attack · kill-chain walkthrough

MOVEit Transfer / Cl0p

Mass exfiltration via pre-auth SQL injection in a shared MFT appliance

Cl0p (TA505 / Lace Tempest)May – Jun 2023Moderate confidence

Attributed by Microsoft Threat Intelligence to Lace Tempest, the Cl0p-affiliated actor tracked by MITRE as TA505 (G0092). CISA and FBI jointly attributed the campaign in advisory AA23-158A.

Cl0p exploited a pre-authentication SQL-injection zero-day (CVE-2023-34362) in Progress Software's MOVEit Transfer managed file-transfer appliance. Because MOVEit is deployed as a shared internet-facing service by third-party data processors, a single compromised appliance exposed dozens of downstream client organizations. Cl0p did not encrypt any data — it bulk-downloaded files and coerced payment by threatening to publish stolen records on its dark-web leak site, ultimately affecting ~2,700 organizations and ~95 million individuals.

scene 00 / 07
Cl0poperatorSQL injectionCVE-2023-34362MOVEit TransferProgress Softwareinternet-exposed web service · port 443pre-auth · no credsLEMURLOOThuman2.aspx · .NET web shellT1505.003 · hardcoded header authMOVEitshared hubPayrollProcessorGovAgencyUniversityEnergyCo.FinanceFirmHRProviderPensionFundAirlinesConsultingFirmUniversityStateAgencyInsuranceCo.MediaOrgBankone appliance · many downstream victimsSQL Serverfile metadata · org listenumerate filesbulk download →NO ENCRYPTIONfiles leave intact · pure exfilshell removedhuman2.aspx deletedsession tokens purgedT1070.001 · T1070.004timed to US Memorial Dayweekend 27–29 May 2023reduced IR capacitydata exfiltratedpayroll · SSNs · health recordsHR data · govt correspondence14 Jun 2023 — leak site goes live
  1. Phase 01 · Initial AccessTA0001

    Pre-auth SQL injection in an internet-facing file-transfer appliance — no credentials required

    • CVE-2023-34362 is a pre-authentication SQL injection flaw in MOVEit Transfer's web application. An unauthenticated attacker can send a crafted HTTP request to the MOVEit web interface and execute arbitrary SQL against the backend database.
    • Progress Software disclosed the vulnerability on 31 May 2023; exploitation was already underway by that date. Mandiant and Kroll forensic evidence shows Cl0p had privately tested the exploit as early as 2021 and stockpiled it for a coordinated mass-exploitation campaign.
    • Cl0p conducted automated scan-and-spray operations against internet-exposed MOVEit Transfer instances. Because MOVEit is typically deployed as a public-facing HTTPS service for partner file exchange, thousands of instances were reachable from the open internet.
    • The National Vulnerability Database rated CVE-2023-34362 CVSS 9.8 (Critical); no authentication, no user interaction, network-exploitable.
    Techniques
    T1190 · Exploit Public-Facing ApplicationT1595.002 · Active Scanning: Vulnerability Scanning
    Indicators
    CVE-2023-34362 — Pre-auth SQL injection in MOVEit Transfer web interface — CVSS 9.8
    Sources
  2. Phase 02 · ExecutionTA0002

    LEMURLOOT web shell drops onto the appliance — a .NET assembly masquerading as a MOVEit component

    • Via the SQL injection the operator wrote a custom .NET web shell — LEMURLOOT (Mandiant designation) — to disk as `human2.aspx` inside the MOVEit web root. The file name mimics MOVEit's own legitimate `human.aspx` handler.
    • LEMURLOOT is invoked through MOVEit's standard IIS/ASP.NET request pipeline; from the web server's perspective it is just another .aspx page handling an authenticated partner request.
    • The web shell authenticates its operator with a hardcoded password transmitted in an HTTP header (`X-siLock-Comment`), preventing other threat actors from hijacking the shell.
    • Once active, LEMURLOOT provides the operator with arbitrary SQL execution, file download, and session-management capabilities.
    Techniques
    T1505.003 · Server Software Component: Web ShellT1059.002 · Command and Scripting Interpreter: AppleScript
    Indicators
    human2.aspx — LEMURLOOT web shell — dropped in MOVEit Transfer web root
    Sources
  3. Phase 03 · DiscoveryTA0007

    LEMURLOOT queries MOVEit's SQL Server to enumerate every stored file and every downstream customer

    • LEMURLOOT issued SQL queries against MOVEit's internal SQL Server (or MySQL) database to enumerate files, folders, upload history, and — critically — the list of organizations whose data was stored on the shared appliance.
    • MOVEit Transfer is commonly deployed by managed service providers, payroll processors, and data-aggregators as a shared platform for many client organizations. A single instance often held files belonging to dozens of distinct customers.
    • This reconnaissance revealed the full scope of data available for theft without any lateral movement; the victim's own database was the inventory.
    Techniques
    T1213 · Data from Information RepositoriesT1083 · File and Directory Discovery
    Sources
  4. Phase 04 · Defense EvasionTA0005

    LEMURLOOT deletes its own session logs after each run and inserts/removes operator tokens to cover tracks

    • LEMURLOOT was designed to self-clean: it deleted MOVEit application log entries corresponding to its own activity at the end of each operator session, removing evidence of file-download requests.
    • The web shell also inserted temporary session tokens into MOVEit's database to authorize its own requests, then deleted those tokens before exiting — leaving no persistent database artefact.
    • The file name `human2.aspx` was chosen to blend with the legitimate `human.aspx` handler already present in the web root, reducing the chance of casual file-listing detection.
    • Cl0p timed the mass-exploitation window to coincide with the U.S. Memorial Day holiday weekend (27–29 May 2023), when incident-response capacity at many organizations was reduced.
    Techniques
    T1070.001 · Indicator Removal: Clear Windows Event LogsT1070.004 · Indicator Removal: File DeletionT1036.005 · Masquerading: Match Legitimate Name or Location
    Sources
  5. Phase 05 · CollectionTA0009

    Bulk download of every file on the appliance — one breach, many victims via the shared-service model

    • LEMURLOOT issued bulk file-download requests through MOVEit's own API, streaming stored files to operator-controlled infrastructure. No separate exfiltration tooling was needed; the web shell used MOVEit's own transfer mechanism.
    • Because MOVEit is typically deployed as a multi-tenant shared service — one instance serving many client organizations — a single compromised appliance yielded data belonging to dozens of downstream victims who had no direct relationship with the compromised server.
    • Highly sensitive file types were common payloads: payroll records, HR data, Social Security numbers, health information, pension data, and government correspondence — the kinds of files organizations routinely exchange via managed file transfer.
    • Notable downstream exposure paths included: MOVEit instances operated by Zellis (payroll processor for BA, BBC, Boots); Teachers Insurance and Annuity Association (TIAA); the National Student Clearinghouse; and multiple U.S. federal contractors.
    Techniques
    T1213 · Data from Information RepositoriesT1530 · Data from Cloud StorageT1041 · Exfiltration Over C2 Channel
    Sources
  6. Phase 06 · Exfil & CleanupTA0010

    Data leaves intact — no encryption, no ransom note on disk, web shell removed before defenders arrive

    • Unlike conventional ransomware, Cl0p did not deploy any encryption payload. Files were exfiltrated in their original form; the victim's production systems were left fully operational.
    • After completing collection, LEMURLOOT was removed from disk and its database session entries deleted — in many cases defenders found no web shell artifact at all, only HTTP log entries (where those had not been purged).
    • CISA advised responders to look for newly created .aspx files in the MOVEit web root, anomalous SQL queries in database audit logs, and outbound HTTP connections from the MOVEit host to unusual destinations.
    • The absence of encryption meant many victim organizations did not discover the breach through operational disruption — they learned of it when Cl0p published their name on the leak site weeks later.
    Techniques
    T1048 · Exfiltration Over Alternative ProtocolT1070.004 · Indicator Removal: File DeletionT1029 · Scheduled Transfer
    Sources
  7. Phase 07 · Impact / Mass ExtortionTA0040

    No encryption — Cl0p named ~2,700 victims on its dark-web leak site and demanded payment to suppress publication

    • Starting 14 June 2023, Cl0p began posting victim organization names on its Tor-hosted leak site (`cl0p_-_leaks.onion`), giving each a countdown deadline to pay or have their data published in full.
    • Rather than a per-host ransom, Cl0p's model was pure data-extortion: because encryption never occurred, victims had no encrypted files to recover — their only leverage was suppression of publication.
    • Scale: Emsisoft and the Identity Theft Resource Center estimated ~2,700 organizations affected and approximately 95 million individuals' records exposed, making this one of the largest data-theft events in history.
    • Notable confirmed victims include: U.S. Department of Energy, U.S. Department of Agriculture, Louisiana Office of Motor Vehicles, Oregon DMV, BBC, British Airways, Shell, PwC, EY, Siemens Energy, Schneider Electric, National Student Clearinghouse, Teachers Insurance and Annuity Association (TIAA), and hundreds of universities.
    • The U.S. State Department offered a $10 million reward for information linking Cl0p to a foreign government. No ransom payments by U.S. federal agencies were confirmed.
    Techniques
    T1657 · Financial TheftT1486 · Data Encrypted for Impact
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Cl0p (TA505 / Lace Tempest)
Capability
  • T1190
  • T1595.002
  • T1505.003
  • T1059.002
  • T1213
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources