Listen to this Post
Introduction: A Wake-Up Call for Cybersecurity Teams
In late May 2025, cybersecurity radar systems lit up as GreyNoise, a prominent threat intelligence firm, detected a sharp increase in malicious scanning targeting MOVEit Transfer systems. With its widespread use across both public and private sectors, MOVEit has long been a desirable target for cybercriminals—especially since it deals with the secure movement of sensitive data. Now, with scanner activity spiking dramatically, experts are warning of a potential new wave of exploitation. This article explores the surge, its implications, and offers expert analysis on how organizations should respond to this growing threat.
MOVEit Transfer Scanning Surge: What’s Happening?
GreyNoise issued an alert noting a “notable surge” in scanning activity beginning May 27, 2025, targeting MOVEit Transfer, a popular managed file transfer tool used globally. Until then, scanning activity had been minimal—fewer than 10 unique IPs per day. But that quickly changed.
On May 27, activity surged past 100 unique IPs, skyrocketing to 319 IPs just a day later. Since that initial spike, scanner volume has remained intermittently high, hovering between 200 to 300 IPs daily—a major departure from previous trends.
In total, 682 unique IP addresses have been involved over the last 90 days, with 449 IPs flagged in just the past 24 hours. Alarmingly, 344 of those were deemed suspicious, and 77 marked malicious. The majority of these IPs originated from the U.S., but other hotbeds included Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.
This scanning frenzy suggests attackers are either preparing for another mass exploitation campaign or hunting for unpatched systems. Security teams are advised to audit exposed MOVEit Transfer systems, review logs from late May onward, and ensure all patches are applied.
Adding to the concern, GreyNoise also detected low-volume exploitation attempts involving known MOVEit Transfer vulnerabilities:
CVE-2023-34362, previously leveraged by Cl0p ransomware in a 2023 campaign that impacted over 2,770 organizations
CVE-2023-36934, another known critical flaw
The resurgence of scanning behavior makes it clear that MOVEit remains on the radar of sophisticated threat actors. Experts recommend blocking suspicious IPs, restricting public exposure, and ensuring systems are regularly updated to mitigate risk.
What Undercode Say: In-Depth Analysis of the MOVEit Surge 🔍
A Pattern of Reconnaissance and Preparation
Undercode researchers view this recent activity as more than random probing—it’s tactical reconnaissance. Threat actors often begin campaigns by silently scanning for vulnerable infrastructure. With hundreds of IPs now involved, this isn’t noise—it’s preparation.
MOVEit’s Popularity Is Its Weakness
As a trusted solution for secure file transfers, MOVEit’s widespread deployment makes it an ideal high-value target. When vulnerabilities like CVE-2023-34362 surface, attackers act quickly, often faster than enterprises can patch. The 2023 Cl0p incident proved just how lucrative exploiting MOVEit could be.
What’s Driving This Surge Now?
Several possibilities:
New zero-day vulnerabilities are being tested behind the scenes.
Script kiddies and APT groups alike are revisiting past success stories like the Cl0p campaign.
Attackers could be selling exploit kits on dark markets, reigniting interest in MOVEit targets.
Regional Targeting & Infrastructure
The geographic spread is telling. While the U.S. dominates the scanner IPs, the presence of nodes from Asia, Europe, and South America points to either a coordinated global operation or botnet-based scanning infrastructure. This multi-regional origin suggests either proxy networks or compromised systems conducting reconnaissance.
Mitigation and Recommendations
Organizations should:
Restrict external access to MOVEit interfaces immediately
Apply the latest patches, especially those related to CVE-2023-34362 and CVE-2023-36934
Use threat intelligence feeds to block known bad IPs
Conduct forensic log reviews from May 27 onward
Implement multi-factor authentication on MOVEit endpoints
Undercode’s Threat Forecast
Given the tactical pattern and sheer volume of scanning:
An active exploitation campaign is likely imminent
Smaller-scale breaches may already be underway
Enterprises with unpatched or misconfigured MOVEit servers are at high risk
The next few weeks are critical—security teams need to stay vigilant, test their defenses, and expect that any unpatched entry point could be targeted.
✅ Fact Checker Results:
Surge Confirmed: Scanning activity has jumped significantly post-May 27.
Known CVEs: Exploits of CVE-2023-34362 and CVE-2023-36934 were verified.
Global Reach: IP addresses tied to the scanning span multiple continents.
🔮 Prediction:
Expect a coordinated ransomware or data extortion campaign targeting MOVEit within the next 30–60 days. Based on past patterns (like the Cl0p campaign), this initial scanning phase often precedes an organized wave of attacks. Security teams that delay action could face data breaches, reputational damage, or operational downtime.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
