MOVEit Transfer Back in the Crosshairs: Surge in Scanning Hints at Renewed Threats

By /

Listen to this Post

Featured Image

Rising Tension Over MOVEit Security

Security experts are once again sounding the alarm as MOVEit Transfer, a widely used file transfer system, faces a fresh wave of suspicious activity. Following a period of quiet, a sharp increase in scanning behavior from hundreds of unique IP addresses indicates potential preparation for a new round of cyberattacks. The pattern is disturbingly familiar: threat actors are probing for weaknesses, hinting at the possibility of new vulnerabilities or the return of previously exploited flaws. With infrastructure like Tencent Cloud, Cloudflare, and Amazon Web Services involved, this surge in activity is too deliberate to be brushed aside.

Scanning Activity Reaches New Heights

On May 27, 2025, threat intelligence firm GreyNoise reported an alarming spike in scanning activity targeting MOVEit Transfer systems. From a modest baseline of fewer than 10 IPs per day, the number of unique scanners exploded to 100 in a single day, followed by 319 the next. Since then, daily scanner volumes have remained persistently high, fluctuating between 200 and 300 IPs. Over a 90-day period leading to June 24, GreyNoise observed 682 unique IP addresses actively scanning MOVEit systems. Nearly half of these originated from Tencent Cloud infrastructure, with others using Cloudflare (17%), Amazon (14%), and Google Cloud (5%). Most of the scanner IPs were geolocated in the United States.

Security analysts believe this activity may be the prelude to a broader offensive. Such probing behavior often signals attackers preparing to discover zero-day vulnerabilities or revive older exploits. The activity is neither random nor decentralized. It appears to be a coordinated effort, controlled under single Autonomous System Numbers (ASNs), suggesting a high level of organization and automation.

This is particularly troubling given MOVEit’s recent history. In mid-2023, the Clop ransomware gang exploited a critical vulnerability in MOVEit software, compromising the systems of high-profile organizations like the undercode, British Airways, and pharmacy chain Boots. This exploit affected hundreds of downstream entities, causing widespread disruption.

Adding to concerns, GreyNoise confirmed two low-volume exploitation attempts detected on June 12, 2025. These were linked to previously disclosed SQL injection vulnerabilities: CVE-2023-34362 and CVE-2023-36934. While no widespread exploitation has yet been observed, the timing—during the surge in scanning—raises suspicions that attackers are testing or validating targets ahead of a broader campaign.

To mitigate potential threats, GreyNoise urges MOVEit customers to take proactive security measures. These include blocking suspicious IPs, auditing external system exposures, applying security patches (especially for the known CVEs), and actively monitoring real-time threat behavior. With scanning patterns often preceding new vulnerability disclosures by two to four weeks, the cybersecurity community must remain vigilant.

What Undercode Say:

Persistent Scanning as a Strategic Cyber Prelude

The sudden, sustained scanning activity targeting MOVEit Transfer isn’t just a random uptick in noise. It’s a tactical maneuver, often employed by threat actors to identify viable targets before launching high-impact exploits. The pattern GreyNoise uncovered matches a common reconnaissance phase where adversaries gather critical intelligence on public-facing systems. With scanning concentrated within a handful of cloud infrastructures—Tencent Cloud, Amazon, Cloudflare, and Google—it’s clear this is a coordinated, programmatic effort, likely automated through scripts or scanning frameworks.

Legacy Exploits Still Pose a Threat

The confirmed use of two older SQL injection vulnerabilities (CVE-2023-34362 and CVE-2023-36934) shows that unpatched systems remain an easy entry point. Despite public disclosures and available patches, many organizations lag in applying critical updates. This leaves the door open for even basic exploits to cause significant damage. The re-use of past vulnerabilities also signals a common tactic among cybercriminals: if the exploit worked once, it might work again—especially when targeting entities with poor patch management.

Geographic and Infrastructure Patterns

The geolocation of the majority of IPs in the US, combined with the centralization within large cloud providers, introduces new dimensions to threat detection and attribution. While these environments provide scalability and anonymity, they also complicate defensive measures. Attackers can spin up temporary cloud instances to perform scans and tear them down before detection systems catch up. This strategy allows adversaries to mask their true origins and maintain persistence without triggering standard alert systems.

Potential Zero-Day Hunting

Another crucial insight is that the scanning may not be for known vulnerabilities but instead for discovering new ones. Attackers often test public systems in hopes of finding zero-day vulnerabilities—flaws unknown to the vendor and unpatched. If the pattern holds true, we may see new CVEs affecting MOVEit Transfer being disclosed (or exploited) in the coming weeks. This window—typically two to four weeks after scanning spikes—is when defenders must be most alert.

Organizational Readiness in Question

The broader issue lies in organizational readiness. Many businesses rely on third-party platforms like MOVEit without fully grasping their risk exposure. When cloud-based scanning increases, it becomes critical to understand how many entry points are publicly accessible and whether basic security hygiene—like patching and endpoint monitoring—is being enforced. In a world where ransomware gangs like Clop target supply chains, even indirect exposure can have devastating ripple effects.

Warning Signs From 2023 Resurface

The Clop attacks in 2023 should have been a wake-up call. Yet, the recurrence of scanning and exploit attempts in 2025 shows that many have returned to a state of complacency. The tendency to forget cybersecurity lessons over time can be catastrophic. MOVEit, once again, finds itself in a vulnerable position not just due to its architecture but because of ecosystem-wide neglect.

Call to Action

Security teams must stop viewing threat alerts as isolated incidents. The current scanning spree is likely a precursor to a larger campaign. If history is any indicator, ignoring these early warning signs could result in widespread compromise, data leaks, or ransomware attacks. It’s time for organizations to reinforce their defenses, update their threat intelligence, and stay one step ahead of the attackers.

🔍 Fact Checker Results:

✅ Scanning activity targeting MOVEit has significantly increased since May 27, 2025
✅ Previous vulnerabilities (CVE-2023-34362 and CVE-2023-36934) were used in recent low-volume attacks
✅ GreyNoise confirms scanning patterns often precede new vulnerabilities by 2–4 weeks

📊 Prediction:

With persistent, elevated scanning and early signs of exploitation, MOVEit Transfer systems are at high risk of being targeted by a fresh wave of cyberattacks within the next month. The activity suggests attackers are actively probing for new vulnerabilities or waiting for a zero-day to weaponize. Organizations using MOVEit should treat this as a red alert period and act immediately to secure their environments. ⚠️🛡️💻

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related posts:

  1. Cloudflare Neutralizes World’s Largest DDoS Attack at 73 Tbps
  2. Macron’s Space Race: Europe Takes Aim at Starlink and US Hegemony in Orbit

Explore More: