T1537: T1537

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 30/08/2019 15:03 · Modified 31/03/2026 20:49

Essential information

MITRE technique ID: T1537
Confidence: 100/100
Revoked: No
Published: 30/08/2019 15:03
Modified: 31/03/2026 20:49
Author / Source: The MITRE Corporation

Aliases

Transfer Data to Cloud Account

Platforms

IaaS Office Suite SaaS

Description

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks) Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature) Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)

Kill chain phases

Kill chain	Phase
mitre-attack	exfiltration

Marking (TLP)

External references

Azure Blob Snapshots
DOJ GRU Indictment Jul 2018
Azure Shared Access Signature
Microsoft Azure Storage Shared Access Signature
mitre-attack (T1537)
TLDRSec AWS Attacks
AWS EBS Snapshot Sharing

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (11)

UNG0901 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNG0902 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BianLian uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Androxgh0st uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0501 uses

The MITRE Corporation Confidence 100

[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Qilin uses

Ransomware.Live Confidence 100

Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedCurl uses

The MITRE Corporation Confidence 100

[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5537 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ShinyHunters uses

AlienVault Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·

Malware (26)

Qilin uses

Family
Androxgh0st uses

Family
Vidar uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive uses

Family
k12sns.apk uses

Family
FROSTBITE uses

Family
app-u7cp-release.apk uses

Family
RedLine Stealer uses

Family
BianLian uses

Family
RansomHub uses

Family
EAGLET uses

Family
Copybara uses

Family

← Previous

Page / 3

1–12 of 26

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
New widespread EvilTokens kit: device code phishing as-a-service related

10 MITREs
Operation DupeHike: Targeting Russian employees with DUPERUNNER and … related

19 MITREs 2 Malwares 12 Observables 1 APT
StopRansomware: RansomHub Ransomware related

9 CVEs 23 MITREs 4 Malwares 14 Observables 1 APT
Technical Analysis of Copybara related

15 MITREs 1 Malware 107 Observables
2024 OLYMPICS-THEMED DOMAINS USED FOR CHINESE GAMBLING SITES related

6 MITREs 7 Observables
BingoMod: The new android RAT that steals money … related

5 MITREs 1 Malware 3 Observables
Who You Gonna Call? AndroxGh0st Busters! related

3 CVEs 9 MITREs 1 Malware 7 Observables 1 APT
Akira Ransomware Targets the LATAM Airline Industry related

3 CVEs 32 MITREs 1 Malware 2 Observables 1 APT
ProxyLogon and ProxyShell Used to Target Government Mail … related

18 MITREs 4 Observables
UNC5537 Targets Snowflake Customer Instances for Data Theft … related

14 MITREs 7 Malwares 48 Observables 1 APT

Vulnerabilities (CVE) (13)

CVE-2023-27350 KEV targets

9.8 Critical

PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context …

Attack vector: Network
Published: 21/04/2023
Modified: 21/12/2025

CVE-2021-41773 KEV targets

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2020-0787 KEV targets

Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this …

Published: 28/01/2022
Modified: 21/12/2025

CVE-2017-9841 KEV targets

9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector: NETWORK
Complexity: LOW
Published: 27/06/2017
Modified: 22/04/2026

CWE-94

CVE-2023-27997 KEV targets

9.8 Critical

Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …

Attack vector: Network
Published: 13/06/2023
Modified: 21/12/2025

CVE-2017-0144 KEV targets

8.8 High

The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.

Attack vector: NETWORK
Complexity: LOW
Published: 17/03/2017
Modified: 22/04/2026

CVE-2023-46747 KEV targets

9.8 Critical

F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …

Attack vector: Network
Published: 31/10/2023
Modified: 21/12/2025

CVE-2023-46604 KEV targets

10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector: Network
Published: 02/11/2023
Modified: 21/12/2025

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2023-48788 KEV targets

9.8 Critical

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Attack vector: Network
Published: 25/03/2024
Modified: 21/12/2025

CVE-2023-3519 KEV targets

9.8 Critical

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Attack vector: Network
Published: 19/07/2023
Modified: 27/05/2026

← Previous

Page / 2

1–12 of 13

Software Configuration mitigates
Data Loss Prevention mitigates
Filter Network Traffic mitigates
User Account Management mitigates

Contact About Legal notice Privacy policy Terms of use

T1537: T1537

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (11)

Malware (26)

Reports (12)

Vulnerabilities (CVE) (13)

Course Of Action (4)