Potential Cyber Threat Emerges As MOVEit Scanning Accelerates

Progress Software’s MOVEit Transfer system is back in the cybersecurity spotlight — and not for good reasons. New telemetry from GreyNoise shows a sharp and sudden surge in scanning activity, raising fears that attackers may be preparing for a fresh wave of exploitation, echoing the mass compromise campaigns of 2023.

A Sudden Shift That Demands Attention

On May 27, GreyNoise recorded a striking jump in the number of unique IPs probing MOVEit Transfer systems. Scanning activity, previously hovering below 10 IPs per day, skyrocketed to over 100. The next day, it surged to 319. Since then, daily scans have remained high, fluctuating between 200 and 300 unique IPs — a pattern that GreyNoise calls a “significant deviation” from baseline behavior.

These aren’t just idle scans. Nearly half of the probing IPs — 44% — are associated with Tencent Cloud. Others originate from Amazon AWS, Cloudflare, and Google Cloud, platforms often abused for mass-scale reconnaissance due to their ease of access and global reach.

The scans are originating primarily from the United States, but also span Germany, Japan, Singapore, Brazil, and other countries. The targets are globally distributed, with GreyNoise noting attempted access across the UK, Germany, France, and Mexico.

Echoes of 2023

MOVEit Transfer made headlines just a couple years ago when a critical SQL injection vulnerability (CVE-2023-34362) was exploited by the Cl0p ransomware group. That zero-day led to breaches at hundreds of organizations, including government agencies and major corporations. The attackers used automated scanning and mass exploitation to infiltrate unpatched instances at scale.

The current surge raises concerns that we may be witnessing a similar prelude. Attackers are known to conduct broad reconnaissance to identify unpatched or misconfigured systems before launching widespread attacks. GreyNoise’s detection of sustained scanning over multiple weeks — rather than a short spike — suggests that reconnaissance is ongoing, possibly automated, and potentially linked to active threat actors preparing an operation.

But not all experts see this as a clear sign of an imminent threat. “The increase in scanning activity targeting MOVEit Transfer systems is worth monitoring, but doesn’t necessarily indicate imminent or widespread exploitation,” said Shane Barney, CISO at Keeper Security. “This type of behavior often reflects opportunistic threat actors probing for unpatched systems – not necessarily a sophisticated adversary.”

Still, Barney acknowledged the high stakes: “The MOVEit vulnerabilities have a history of being exploited at scale, with significant consequences, so organizations must remain vigilant.”

What to Do Now

Security leaders should act now, not later. Here’s what should be prioritized:

• Patch verification: Double-check all MOVEit Transfer instances to confirm they’re fully updated with all recent security fixes.
• Log review and traffic monitoring: Inspect historical logs for unusual inbound traffic around late May. Monitor for continued anomalous requests — particularly from Tencent, AWS, and other cloud provider ASNs.
• Threat intelligence integration: Leverage platforms that can provide IP reputation insights, geolocation data, and cross-reference known threat actor infrastructure.

Nivedita Murthy, senior staff consultant at Black Duck, emphasized that attackers are quick to capitalize on lapses in patching. “Attackers are exploiting a vulnerability in outdated versions of MOVEit Transfer, emphasizing the importance of keeping software up-to-date with the latest patches,” she said.

Murthy also noted the growing role of automation in these campaigns: “With the help of AI, attackers can automate a lot of their tasks and run attacks faster while making them harder to detect.”

She recommends a layered defense, starting with visibility: “Security teams should inventory all instances of the software using SCA tools, implement additional controls such as authentication and authorization, and regularly scan their software inventory for risks.”

Maintaining accurate Software Bills of Materials, she added, is also critical to managing risk and “helps confidently unleash business innovation in an era of accelerating risk.”

Cloud Platforms as Recon-as-a-Service

There’s also a broader trend at play: cloud infrastructure is now a top tool for adversaries. Spinning up virtual machines on public cloud services takes minutes and costs pennies. That makes them perfect for running scanning scripts or launching low-and-slow enumeration attacks while obscuring true attribution.

Tencent Cloud’s appearance in this story is notable, not because the company is complicit, but because of the volume. With nearly half of scanner IPs traced back to Tencent’s ASN, it’s clear adversaries see value in its global footprint and accessibility.

This development calls for better coordination between cloud providers and the security community to detect, report, and tear down abuse infrastructure before it’s weaponized.

A Warning, Not Yet a Breach

While the scanning activity may not yet point to a coordinated exploit campaign, the patterns are uncomfortably familiar. Last year’s MOVEit breaches didn’t start with explosions — they started with quiet reconnaissance.

“Ensuring patches are applied, systems aren’t unnecessarily exposed, and privileged access is tightly controlled are all foundational steps that help reduce risk,” Barney advised. “While cybercrime groups may attempt to speed up and scale campaigns with automation or AI, core defense strategies remain the same: establish a zero-trust architecture, manage privileged access, and use real-time threat detection.”

This isn’t cause for panic…yet. But it is a call to be prepared. Threat actors are scanning. Whether or not they act depends, in part, on whether defenders leave the door open.