In recent months, a significant surge in cyberattacks has targeted MOVEit Transfer systems, a widely utilized managed file transfer (MFT) solution. This escalation underscores the persistent vulnerabilities within critical data transfer infrastructures and the evolving tactics of cyber adversaries.
Unprecedented Increase in Malicious Scanning Activity
Beginning May 27, 2025, security researchers observed a dramatic rise in malicious scanning activities directed at MOVEit Transfer systems. The number of unique IP addresses involved in these scans skyrocketed from fewer than 10 per day to over 100 within a 24-hour period. By May 28, this figure had escalated to 319 unique IPs. This sustained increase, maintaining between 200 to 300 unique IP addresses daily, represents a 20 to 30-fold surge over historical baselines. Such patterns often precede the discovery or exploitation of new vulnerabilities, suggesting that threat actors are actively probing for weaknesses in MOVEit Transfer deployments.
Exploitation of Known Vulnerabilities
On June 12, 2025, confirmed exploitation attempts targeted two critical SQL injection vulnerabilities within MOVEit Transfer systems: CVE-2023-34362 and CVE-2023-36934. These vulnerabilities allow attackers to execute arbitrary commands on affected systems, potentially leading to unauthorized data access and system compromise. The exploitation attempts were identified as malicious, indicating deliberate efforts to exploit these flaws for nefarious purposes.
Concentration of Attack Infrastructure
Analysis of the attack infrastructure revealed a significant concentration of malicious activity originating from specific cloud service providers. Notably, 44% of the observed scanner IPs were hosted on Tencent Cloud, amounting to 303 IP addresses. Other major contributors included Cloudflare (113 IPs), Amazon Web Services (94 IPs), and Google Cloud Platform (34 IPs). This concentration suggests a coordinated, programmatically managed campaign rather than random, opportunistic scanning.
Geographical Focus of Attacks
The primary targets of these attacks were organizations located in the United Kingdom, the United States, Germany, France, and Mexico. This geographical focus indicates a strategic selection of targets, potentially aiming at sectors with critical data transfer operations.
Historical Context and Ongoing Threats
The recent surge in attacks is not an isolated incident but part of a broader trend of targeting MOVEit Transfer systems. In June 2023, a critical vulnerability (CVE-2023-34362) was exploited by the Cl0p ransomware group, leading to data breaches affecting numerous organizations, including government agencies and corporations. The exploitation involved deploying a web shell named human2.aspx to execute commands and exfiltrate data. This incident highlighted the systemic risks associated with vulnerabilities in widely used file transfer solutions.
Recommendations for Mitigation
Given the persistent threats, organizations utilizing MOVEit Transfer systems should implement the following measures:
1. Immediate Patching: Apply the latest security patches provided by Progress Software to address known vulnerabilities.
2. Network Traffic Monitoring: Monitor for unusual scanning activities and unauthorized access attempts, particularly from IP addresses associated with known malicious activities.
3. Access Controls: Restrict access to MOVEit Transfer systems to authorized personnel and implement multi-factor authentication to enhance security.
4. Incident Response Planning: Develop and regularly update incident response plans to swiftly address potential breaches and minimize impact.
5. User Education: Educate employees about phishing attacks and other common vectors used by attackers to gain initial access.
Conclusion
The escalating attacks on MOVEit Transfer systems underscore the critical need for proactive cybersecurity measures. Organizations must remain vigilant, promptly address vulnerabilities, and implement robust security protocols to safeguard sensitive data against evolving cyber threats.
