MOVEit Transfer Under the Radar Again

Published Date: June 26, 2025
Category: ShadowOpsIntel
Share:

MOVEit Transfer, a secure managed file transfer software, is under heightened scrutiny following a sudden spike in scanning activity, first observed by GreyNoise on May 27, 2025. The unexpected surge in reconnaissance traffic could indicate adversaries are preparing for future exploitation, as such behavior historically precedes the disclosure or use of new vulnerabilities.

Severity Level: Critical

Threat Details

  1. Type: Pre-exploitation scanning activity.
  2. Start of Surge: Scanning spiked from <10 to over 100 unique IPs on May 27, peaking at 319 IPs on May 28, and stabilizing at 200–300 IPs/day.
  3. Infrastructure Abuse: 44% of scanning IPs are hosted by Tencent Cloud, with others spread across Cloudflare, Amazon, and Google.
  4. Associated CVEs: On June 12, GreyNoise observed attempts to exploit,
    o CVE-2023-34362: A critical SQL injection vulnerability used in prior data-theft campaigns.
    o CVE-2023-36934: Another MOVEit vulnerability known for remote code execution vectors.
  5. Top Destination Countries: United Kingdom, United States, Germany, France, and Mexico

Key Highlights

  1. 682 unique IPs tagged with MOVEit scanner behaviour in 90 days.
  2. Evidence suggests structured, automated scanning rather than random probing.
  3. No widespread exploitation observed yet, but early reconnaissance often precedes attacks by 2–4 weeks.
  4. Ongoing scanning indicates MOVEit remains a high-priority target.
  5. A significant majority of scanner IP addresses are geolocated within the United States.

Recommendations

  1. Enable deep packet inspection to detect suspicious file transfer behaviours.
  2. Apply patches for known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934.
  3. Audit exposure of all internet-facing MOVEit Transfer instances.
  4. Monitor telemetry for unusual activity related to MOVEit endpoints.
  5. Confirm backups and incident response drills include secure file transfer platforms.
  6. Limit public exposure of file transfer systems via proper network segmentation.
  7. Review third-party integrations using MOVEit to evaluate inherited risk.
  8. Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/a58765a5e28b990716a9249c4eacdf8faa0db1a9f7f90f5997eb9d3b5a3d1029/iocs

Source:

  • https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.