Full Report
GreyNoise observed a surge in scanning activity targeting MOVEit Transfer systems since May 27, indicating the software could face renewed attacks
Analysis Summary
# Incident Report: Surge in MOVEit Transfer Scanning Activity Preceding Potential Attacks
## Executive Summary
A significant increase in scanning activity targeting MOVEit Transfer systems was detected starting May 27, 2025, suggesting a high probability of renewed exploitation attempts similar to the widespread attacks seen in the summer of 2023. Threat intelligence observed hundreds of unique IP addresses actively scanning for the vulnerable software, with Tencent Cloud being the primary source infrastructure. No active compromise data is reported, but this activity signals attackers are mapping targets ahead of a potential mass exploitation campaign.
## Incident Details
- Discovery Date: May 27, 2025 (Initial spike detected)
- Incident Date: Scanning activity began May 27, 2025, reflecting preparation for future incidents.
- Affected Organization: Organizations utilizing MOVEit Transfer systems (Specific victims not yet disclosed, as this is pre-exploitation scanning).
- Sector: Broad impact across any sector using MOVEit for managed file transfer.
- Geography: The majority of the scanning IP addresses geolocated to the US, with infrastructure sourced globally (Tencent Cloud, Cloudflare, Amazon, Google).
## Timeline of Events
### Initial Access (Scanning Phase)
- Date/Time: Beginning May 27, 2025 (Baseline minimal (<10 IPs/day) prior to this date).
- Vector: Network scanning targeting known MOVEit Transfer vulnerabilities.
- Details: Threat intelligence provider GreyNoise detected a massive jump in unique IPs using their MOVEit Transfer Scanner Tag. 100 unique IPs scanned on May 27, escalating to 319 on May 28, and maintaining an elevated rate of 200-300 IPs daily thereafter.
### Lateral Movement
- Not applicable/Not yet observed. Current activity is focused on reconnaissance/initial access mapping.
### Data Exfiltration/Impact
- Not applicable/Not yet observed. Activity is preparatory scanning.
### Detection & Response
- Detection Method: Threat intelligence monitoring via GreyNoise (MOVEit Transfer Scanner Tag).
- Response Actions: Threat intelligence was published to alert potential victims and security teams of the increased risk.
## Attack Methodology
- Initial Access: Automated network scanning targeting existing vulnerabilities in MOVEit Transfer software (likely referencing the critical vulnerabilities exploited by Clop in 2023).
- Persistence: Not applicable (Scanning phase).
- Privilege Escalation: Not applicable (Scanning phase).
- Defense Evasion: Not explicitly detailed, but geographically diverse infrastructure (Tencent Cloud, AWS, Cloudflare) is used to launch scans, likely to evade IP-based blocking.
- Credential Access: Not applicable (Scanning phase).
- Discovery: Identifying systems running vulnerable versions of MOVEit Transfer.
- Lateral Movement: Not applicable (Scanning phase).
- Collection: Not applicable (Scanning phase).
- Exfiltration: Not applicable (Scanning phase).
- Impact: Not applicable (Scanning phase).
## Impact Assessment
- Financial: Unknown, dependent on whether exploitation occurs. The previous campaign resulted in costs related to remediation and notification for affected entities.
- Data Breach: Potential zero-day exploitation or previously disclosed vulnerability exploitation leading to data exposure/theft from organizations using MOVEit Transfer.
- Operational: Potential for service disruption if zero-day exploitation leads to system compromise.
- Reputational: High risk for organizations successfully targeted in any subsequent campaign.
## Indicators of Compromise
- Network Indicators (Defanged):
- High volume of originating IPs leveraging Tencent Cloud infrastructure (44% of scanners).
- Elevated connection patterns to MOVEit Transfer endpoints.
- File Indicators: None reported (Activity is network-based scanning).
- Behavioral Indicators: Sudden, sustained increase in requests matching known MOVEit exploitation patterns, originating from multiple unique IPs across major cloud providers.
## Response Actions
- Containment: Rapid patching/mitigation of MOVEit Transfer systems for organizations identified as having the software exposed.
- Eradication: Not applicable yet. Focus is on proactive hardening.
- Recovery: Not applicable yet.
## Lessons Learned
- Historical exploitation patterns (like Clop's use of MOVEit) resurface when flaws are not fully remediated or new ones emerge.
- Mass scanning campaigns precede large-scale exploitation, providing a measurable lead time for defense posture improvement.
- Attackers rely heavily on shared cloud infrastructure (Tencent Cloud, AWS) to perform large-scale reconnaissance.
## Recommendations
- Immediately verify that all instances of Progress MOVEit Transfer software are fully patched to the latest available version.
- Implement network segmentation, placing managed file transfer servers in restricted zones with stringent ingress/egress controls.
- Enhance monitoring capabilities specifically for MOVEit Transfer endpoints to detect the reconnaissance/exploitation traffic patterns observed in previous campaigns.
- Review third-party vendor risk management, particularly for vendors handling sensitive data via managed file transfer solutions.