Surge in Attacks Targeting MOVEit Transfer Systems – 100+ Unique IPs Used by Attackers

Researchers observed a significant increase in malicious scanning activity targeting MOVEit Transfer systems observed with over 682 unique IP addresses participating in coordinated reconnaissance and exploitation attempts over the past 90 days.

The surge represents a significant shift from baseline activity levels and indicates that threat actors are actively preparing for potential large-scale attacks against enterprise file transfer infrastructure.

Sponsored

 class="wp-block-code">Summary
1. MOVEit Transfer systems hit by 20-30x increase in malicious scanning since May 27, 2025 from less than 10 daily IPs to 100+ attackers
2. Confirmed exploitation attempts on June 12 targeting CVE-2023-34362 and CVE-2023-36934 vulnerabilities for remote code execution.
3. 44% of 682 attacking IPs hosted on Tencent Cloud, indicating systematic rather than random attacks.
4. Primary focus on UK, US, Germany, France, and Mexico organizations for potential ransomware/data theft.

Surge in MOVEit Transfer Scanning Activity

The attack campaign began on May 27, 2025, marking a stark departure from previously minimal scanning activity that typically involved fewer than 10 IP addresses per day. 

Within 24 hours, the number of unique scanning IPs surged to over 100, followed by 319 IPs on May 28. 

Since this initial spike, daily scanner volumes have consistently remained elevated between 200 to 300 unique IP addresses, representing a 20-30x increase over historical baselines.

This sustained elevation in scanning activity suggests threat actors are conducting systematic reconnaissance against MOVEit Transfer deployments globally. 

The activity pattern aligns with historical precedents where increased scanning precedes the emergence of new vulnerabilities by two to four weeks, indicating potential zero-day research or preparation for exploiting undisclosed vulnerabilities.

Exploiting Known SQL Injection Flaws

On June 12, 2025, GreyNoise detected confirmed exploitation attempts targeting two critical SQL injection vulnerabilities in MOVEit Transfer systems. 

The attacks specifically leveraged CVE-2023-34362 and CVE-2023-36934, both classified as remote code execution vulnerabilities that allow attackers to execute arbitrary commands on vulnerable systems.

CVE-2023-34362 exploitation attempts peaked at 11 unique IP addresses, while CVE-2023-36934 saw activity from 8 unique IPs during the same timeframe. 

Both vulnerability exploitation patterns were tagged as “MALICIOUS” by GreyNoise’s threat intelligence platform, indicating confirmed malicious intent rather than security research or legitimate scanning activity.

Analysis of the attacking infrastructure reveals concerning patterns suggesting coordinated, programmatically-managed campaigns rather than distributed opportunistic scanning. 

Tencent Cloud (ASN 132203) hosts 303 IP addresses, representing 44% of all observed scanner IPs, indicating significant infrastructure concentration within a single autonomous system.

Additional cloud providers contributing to the attack infrastructure include Cloudflare (113 IPs), Amazon Web Services (94 IPs), and Google Cloud Platform (34 IPs). 

This concentration across major cloud service providers suggests threat actors are leveraging legitimate cloud infrastructure to conduct attacks, making detection and attribution more challenging for defenders.

Geographically, the attacks primarily target organizations in the United Kingdom, the United States, Germany, France, and Mexico, while the majority of attacking IP addresses geolocate to the United States. 

This geographic distribution suggests both the global scope of the campaign and the strategic targeting of Western organizations and infrastructure.

Organizations operating MOVEit Transfer systems should immediately implement dynamic IP blocking using GreyNoise intelligence feeds, audit public exposure of file transfer systems, and ensure all known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934, are patched. 

The sustained nature of this campaign indicates continued threat actor interest in MOVEit Transfer infrastructure, requiring ongoing vigilance and proactive security measures.