Article Details
Scrape Timestamp (UTC): 2025-06-27 07:51:11.869
Source: https://thehackernews.com/2025/06/moveit-transfer-faces-increased-threats.html
Original Article Text
Click to Toggle View
MOVEit Transfer Faces Increased Threats as Scanning Surges and CVE Flaws Are Targeted. Threat intelligence firm GreyNoise is warning of a "notable surge" in scanning activity targeting Progress MOVEit Transfer systems starting May 27, 2025—suggesting that attackers may be preparing for another mass exploitation campaign or probing for unpatched systems. MOVEit Transfer is a popular managed file transfer solution used by businesses and government agencies to share sensitive data securely. Because it often handles high-value information, it has become a favorite target for attackers. "Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day," the company said. "But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28." Since then, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day, GreyNoise added, stating it marks a "significant deviation" from usual behavior. Companies should check what parts of MOVEit are open to the internet, look for any strange activity in their logs since late May, and quickly update any old MOVEit systems. As many as 682 unique IPs have been flagged in connection with the activity over the past 90 days, with 449 IP addresses observed in the past 24 hours alone. Of the 449 IPs, 344 have been categorized as suspicious and 77 have been marked malicious. A majority of the IP addresses geolocate to the United States, followed by Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia. GreyNoise also said it detected low-volume exploitation attempts to weaponize two known MOVEit Transfer flaws (CVE-2023-34362 and CVE-2023-36934) on June 12, 2025. It's worth noting that CVE-2023-34362 was abused by Cl0p ransomware actors as part of a widespread campaign in 2023, impacting more than 2,770 organizations. The spike in scanning activity is an indication that MOVEit Transfer instances are once again under the threat actor's scanner, making it essential that users block the offending IP addresses, make sure the software is up-to-date, and avoid publicly exposing them over the internet.
Daily Brief Summary
Threat intelligence firm GreyNoise has observed a significant increase in scanning activities targeting MOVEit Transfer, a popular secure file transfer system, beginning on May 27, 2025.
The number of scanning IPs surged from fewer than 10 daily to over 300 IPs on some days, indicating potential preparations for a mass exploitation campaign.
MOVEit Transfer, widely used by businesses and government bodies to transmit sensitive data, has become increasingly targeted due to its high-value information handling.
In recent scans, 682 unique IPs were flagged for suspicious activities, with a majority located in the United States, Germany, and other countries.
GreyNoise reported attempts to exploit previously known vulnerabilities in MOVEit Transfer, specifically CVE-2023-34362 and CVE-2023-36934, warning that these could be leveraged in attacks similar to past ransomware campaigns by Cl0p.
Recommendations for organizations include checking internet-exposed components of MOVEit systems, monitoring for anomalies in logs since late May, and promptly updating software to mitigate threats.