MOVEit Transfer Faces Increased Threats as Scanning Surges and CVE Flaws Are Targeted Summary:
Summary:
GreyNoise has reported a significant surge in scanning activity targeting Progress MOVEit Transfer systems, beginning on May 27, 2025, when the daily count of scanning IPs spiked from fewer than 10 to over 100, followed by 319 IPs on May 28. This marked increase has continued, with daily scanner volumes fluctuating between 200 and 300 IPs per day, a clear deviation from typical patterns and suggesting that MOVEit Transfer instances are once again being systematically probed for vulnerabilities. Over the past 90 days, GreyNoise has identified 682 unique IPs associated with MOVEit Transfer scanning, with 449 observed within a single 24-hour period, of which 344 were categorized as suspicious and 77 as malicious.
A significant concentration of these scanning activities is linked to Tencent Cloud infrastructure, which accounts for 44% of the scanner IPs, while other contributors include Cloudflare, Amazon, and Google, indicating that the activity is deliberate and programmatically managed rather than random. Geolocation data shows that the majority of these IPs are based in the United States, with others traced to Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia, highlighting the global nature of this scanning activity. On June 12, 2025, GreyNoise observed low-volume exploitation attempts targeting two previously disclosed MOVEit Transfer vulnerabilities, CVE-2023-34362 and CVE-2023-36934, during this heightened scanning period. While these attempts may represent target validation or exploit testing, no widespread exploitation has been confirmed so far.
Security Officer Comments:
It is notable that CVE-2023-34362 was previously leveraged by Cl0p ransomware actors in 2023 to conduct a broad exploitation campaign affecting over 2,700 organizations globally, underscoring the potential risks associated with MOVEit Transfer vulnerabilities. Given MOVEit Transfer’s use by enterprises and government agencies to transfer sensitive data securely, the increase in scanning suggests that attackers may be preparing for another mass exploitation campaign or seeking unpatched systems to compromise.
Suggested Corrections:
GreyNoise advises organizations to block suspicious and malicious IP addresses, ensure that MOVEit Transfer systems are fully updated with the latest patches, and avoid unnecessary public exposure of these systems to reduce the risk of potential exploitation as scanning continues to signal elevated threat activity around MOVEit Transfer.
Link(s):
https://thehackernews.com/2025/06/moveit-transfer-faces-increased-threats.html
https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity
GreyNoise has reported a significant surge in scanning activity targeting Progress MOVEit Transfer systems, beginning on May 27, 2025, when the daily count of scanning IPs spiked from fewer than 10 to over 100, followed by 319 IPs on May 28. This marked increase has continued, with daily scanner volumes fluctuating between 200 and 300 IPs per day, a clear deviation from typical patterns and suggesting that MOVEit Transfer instances are once again being systematically probed for vulnerabilities. Over the past 90 days, GreyNoise has identified 682 unique IPs associated with MOVEit Transfer scanning, with 449 observed within a single 24-hour period, of which 344 were categorized as suspicious and 77 as malicious.
A significant concentration of these scanning activities is linked to Tencent Cloud infrastructure, which accounts for 44% of the scanner IPs, while other contributors include Cloudflare, Amazon, and Google, indicating that the activity is deliberate and programmatically managed rather than random. Geolocation data shows that the majority of these IPs are based in the United States, with others traced to Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia, highlighting the global nature of this scanning activity. On June 12, 2025, GreyNoise observed low-volume exploitation attempts targeting two previously disclosed MOVEit Transfer vulnerabilities, CVE-2023-34362 and CVE-2023-36934, during this heightened scanning period. While these attempts may represent target validation or exploit testing, no widespread exploitation has been confirmed so far.
Security Officer Comments:
It is notable that CVE-2023-34362 was previously leveraged by Cl0p ransomware actors in 2023 to conduct a broad exploitation campaign affecting over 2,700 organizations globally, underscoring the potential risks associated with MOVEit Transfer vulnerabilities. Given MOVEit Transfer’s use by enterprises and government agencies to transfer sensitive data securely, the increase in scanning suggests that attackers may be preparing for another mass exploitation campaign or seeking unpatched systems to compromise.
Suggested Corrections:
GreyNoise advises organizations to block suspicious and malicious IP addresses, ensure that MOVEit Transfer systems are fully updated with the latest patches, and avoid unnecessary public exposure of these systems to reduce the risk of potential exploitation as scanning continues to signal elevated threat activity around MOVEit Transfer.
Link(s):
https://thehackernews.com/2025/06/moveit-transfer-faces-increased-threats.html
https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity