GreyNoise has identified a significant surge in scanning activity targeting MOVEit Transfer systems, with daily unique IP addresses probing these systems jumping from fewer than 10 to over 300 within 24 hours starting May 27, 2025.
According to the report, this persistent scanning—maintaining 200-300 IP addresses daily—represents a stark deviation from baseline activity and suggests heightened interest in the file-transfer platform, potentially preceding new exploit campaigns.
The infrastructure concentration (44% from Tencent Cloud ASN 132203) indicates deliberate, coordinated scanning rather than random.
Key Scanning Patterns and Infrastructure
- Volume spike: 682 unique IPs observed over 90 days, with 303 originating from Tencent Cloud.
- Source distribution: Cloudflare (113 IPs), Amazon (94 IPs), and Google (34 IPs) comprise the secondary infrastructure.
- Target geography: The United Kingdom, the United States, Germany, France, and Mexico represent primary destinations.
- Technical trigger: Scanning focuses on MOVEit Transfer’s HTTP/HTTPS ports (80/443), suggesting reconnaissance for known vulnerabilities like CVE-2023-34362 and CVE-2023-36934.
Confirmed Exploitation Attempts
Low-volume exploitation occurred on June 12, 2025, leveraging two critical CVEs:
- CVE-2023-34362: SQL injection in
UserEngine.UserGetUsersWithEmailAddressallowing unauthenticated database access and web shell deployment (LEMURLOOT). - CVE-2023-36934: Unauthorized database access via crafted payloads to
/human.aspxand/machine.aspxendpoints, enabling session manipulation and privilege escalation.
No widespread exploitation is confirmed, but these attempts align with historical CL0P ransomware group tactics.
Mitigation Strategies
Organizations should immediately:
- Block malicious IPs: Dynamically filter traffic using threat intelligence feeds targeting Tencent Cloud ASN 132203 and other high-risk infrastructure.
- Patch systems: Apply critical updates for MOVEit Transfer versions: Affected VersionPatched Version2023.0.x15.0.32022.1.x14.1.72021.0.x13.0.8
- Segment networks: Restrict HTTP/HTTPS access to MOVEit systems via firewall rules (ports 80/443) and isolate sensitive data storage.
Infrastructure concentration in a single ASN underscores the need for behavioral analytics to detect programmatic scanning.
GreyNoise is developing dynamic IP blocklists to accelerate threat response.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Surge+in+Attacks+on+MOVEit+Transfer+Systems+%E2%80%93+Attackers+Use+Over+100+Unique+IPs){kind=link}