Recent activity indicates a significant increase in scanning and exploitation attempts against Progress Software’s MOVEit Transfer platform, a widely used file-sharing solution used globally.
Over the past three months, cybersecurity researchers have observed a sustained surge in malicious activity, suggesting that threat actors are actively probing for vulnerabilities in this widely used file-sharing solution. This pattern of scanning may indicate preparations for targeted attacks or exploitation campaigns.
Between March and June 2025, threat intelligence firm GreyNoise identified over 680 unique IP addresses engaging in scanning activity directed at MOVEit Transfer systems. It further escalated near the end of March with daily scans exceeding 100 IPs, and the activity has remained elevated since then, often ranging between 200 and 300 scans per day.
The majority of these scanning efforts are concentrated within a few major cloud service providers:
- Tencent Cloud accounts for approximately 44% of the total IPs involved.
- Other top sources include Cloudflare, Amazon Web Services, and Google Cloud.
This clustering suggests that the scanning activity is largely automated and centrally managed, rather than the result of dispersed, random probing. Most of the scanning IPs are geolocated within the United States, with primary targets including countries United Kingdom, the United States, Germany, France, and Mexico, highlighting a geographically diverse threat landscape.
Also on June 12, GreyNoise detected low-volume exploitation attempts targeting MOVEit Transfer systems via known vulnerabilities (CVE-2023-34362 and CVE-2023-36934) that had been disclosed recently.
While widespread exploitation hasn’t been confirmed, the activity indicates ongoing testing and reconnaissance efforts by threat actors.
Recommendations
MOVEit Transfer has been a target of cybercriminal activity in recent years, often exploited through zero-day vulnerabilities to deploy web shells and exfiltrate sensitive data. The current wave of scanning and testing suggests that attackers may be preparing for future data breach campaigns.
Organizations utilizing MOVEit Transfer should prioritize the following security measures:
- Apply all relevant patches and updates for known vulnerabilities. Visit their upgrade page for more info
- Monitor network activity for suspicious or unusual IP addresses and behaviors, and implement dynamic blocking where feasible
- Limit public exposure of these systems and restrict access to only trusted users
- Maintain continuous monitoring for emerging threats and adapt defenses accordingly
The concentration of attack infrastructure within major cloud providers complicates attribution efforts and underscores the importance of comprehensive security strategies. The ongoing threat landscape emphasizes the need for organizations to remain vigilant and proactive in defending their systems. Maintaining up-to-date security measures and vigilant monitoring is essential to mitigate potential threats as they evolve.
To learn more about Greynoise’s security research finidings, check out their report here.
Leave a Reply