New Attacks Loom for MOVEit After 2023 Clop Breach; Global Scanning Jumps from Zero to 682 in 90 Days

• A significant surge in scanning activity targeting MOVEit Transfer systems indicates a potential cyberattack
• Over 400 unique IP addresses were observed scanning for vulnerabilities in the last 24 hours
• In total, analysts witnessed 682 scanning activities in three months

File transfer service MOVEit, which made headlines for multiple security incidents stemming from a single vulnerability, has once again drawn attention due to renewed threat activity.

Researchers observed an increase in scanning activity targeting the MOVit File Transfer system beginning on May 27, 2025. 

Designed to be a secure file transfer software, MOVEit was observed being probed by suspicious actors scanning for systems with exploitable vulnerabilities. 

On June 12, 2025, the platform experienced low exploitation attempts. Threat actors tried to exploit two previously disclosed MOVEit vulnerabilities, which included CVE-2023-34362

On average, researchers detected nearly 10 IP address scanning events per day. However, on May 27, over 100 unique IP scans were recorded, and 319 on May 28, raising concerns.

Subsequently, scanning activity continued to surge between 200 to 300 IPs per day, according to a GreyNoise report.

“These patterns often coincide with new vulnerabilities emerging two to four weeks later,” GreyNoise added.

Furthermore, research revealed that over 90 days, scanning activities surged to 682 unique IPs. It triggered GreyNoise’s MOVEit transfer scanner tag, where previously, such activity had registered at zero. 

Key observations were as follows:

• 303 IP addresses were linked to Tencent Cloud (ASN 132203), making it the most active
• The concentration of scanning infrastructure suggests a deliberate and programmatically managed attempt 
• Cloudflare was observed for 113 IPs, Amazon for 94, and Google for 34
• The scanning IPs were traced to the U.K., U.S., Germany, France, and Mexico

Exploitation attempts focused on SQL injection vulnerabilities, CVE-2023-34362 and CVE-2023-36934 for remote code execution. 

Regarding the current safety posture of MOVEit Transfer, GreyNoise clarified, “These events occurred during the period of heightened scanning and may represent target validation or exploit testing, but at this time, no widespread exploitation has been observed by GreyNoise.”

Security teams are strongly urged to block suspicious IPs, audit the public exposure of all MOVEit Transfer systems, and apply patches for vulnerabilities. They are also advised to monitor real-time attacker activities to protect client data.

The Clop ransomware group exploited a MOVEit vulnerability in 2023, leading to extortion campaigns affecting thousands of linked organizations.