MOVEit Transfer Under Heightened Threat as Scanning Activity Surges and CVE Vulnerabilities Come Under Fire

Network security firm GreyNoise has reported a “notable surge” in scanning activity targeting Progress MOVEit Transfer systems since May 27, 2025, indicating that cybercriminals may be gearing up for a new mass exploitation campaign or probing for unpatched vulnerabilities. MOVEit Transfer, widely utilized by businesses and government agencies for secure file sharing, is a prime target due to its handling of sensitive data.

“Prior to this date, scanning was minimal—typically fewer than 10 IP addresses were observed daily,” the firm stated. “However, on May 27, that number skyrocketed to over 100 unique IPs, followed by 319 on May 28.” Since then, the volume of scanning IPs has remained intermittently elevated, fluctuating between 200 and 300 daily, marking a “significant deviation” from normal patterns. GreyNoise reports that as many as 682 unique IPs have been flagged in connection with this increased activity.

Increased Threat Landscape for MOVEit Transfer Amidst Rising Scanning Activities

June 27, 2025

In a recent update, cybersecurity firm GreyNoise has reported a significant surge in scanning activities targeting Progress MOVEit Transfer systems. This uptick, which began on May 27, 2025, raises concerns that cybercriminals may be gearing up for a mass exploitation campaign or actively searching for unpatched vulnerabilities within the software. MOVEit Transfer, a widely utilized managed file transfer solution, is favored by various businesses and government entities for its ability to facilitate secure data sharing of sensitive information. Its reputation for handling high-value data makes it an appealing target for malicious actors.

Prior to the recent spike in scanning activities, the monitoring data indicated that fewer than ten unique IP addresses were typically seen scanning MOVEit systems each day. However, on May 27, that figure escalated dramatically to over one hundred IPs, with another jump to 319 IPs the following day. Since then, the daily volume of scanning IPs has fluctuated between 200 to 300, a substantial departure from the norm and indicative of heightened malicious interest in this software.

In total, as many as 682 unique IPs have been identified as actively probing MOVEit Transfer installations, underscoring a trend that cybersecurity experts believe denotes significant risk. The timing aligns with the emergence of Common Vulnerabilities and Exposures (CVE) affecting the MOVEit Transfer solution, suggesting that attackers are likely leveraging these vulnerabilities to gain access to critical systems.

Businesses that rely on MOVEit Transfer must be vigilant, as this scanning activity may point to attempts at gaining initial access to their networks. The MITRE ATT&CK framework reveals that techniques involved in such probing often include efforts to identify unpatched systems, which could lead to privilege escalation and, ultimately, unauthorized data access. Defensive measures should therefore be prioritized, emphasizing timely patching and enhanced monitoring of network traffic.

Given the nature of this rising threat landscape, affected organizations should consider implementing additional security protocols to safeguard their environments. Enhanced intrusion detection systems and thorough vulnerability assessments may help mitigate the risks posed by potential exploitation attempts.

As the scanning activity continues to show persistent levels, businesses operating in sectors where MOVEit Transfer is employed are advised to remain alert and adaptable in their security strategies. Preparedness against evolving cyber threats remains crucial, as the consequences of successful intrusions can be far-reaching, impacting both organizational integrity and customer trust.

Industry experts emphasize that proactive measures and an informed approach to cybersecurity are essential in light of these developments. Keeping abreast of current threats and vulnerabilities will empower organizations to better defend against the increasing risks posed by malicious cyber actors.

Source link

Related Posts

Severe RCE Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Attackers to Obtain Root Access

Jun 26, 2025
Vulnerability, Network Security

Cisco has issued updates to resolve two critical security vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that may allow unauthenticated attackers to execute arbitrary commands with root privileges. These vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, both carry a maximum CVSS score of 10.0. Here’s a detailed overview of the vulnerabilities:

  • CVE-2025-20281: A remote code execution flaw impacting Cisco ISE and ISE-PIC versions 3.3 and later, enabling an unauthenticated attacker to execute arbitrary code on the system as root.

  • CVE-2025-20282: A remote code execution vulnerability in Cisco ISE and ISE-PIC version 3.4 that allows an unauthenticated attacker to upload arbitrary files to the device and execute them as root.

Cisco has indicated that CVE-2025-20281 stems from inadequate…

Major Vulnerability in Open VSX Registry Poses Supply Chain Risks for Millions of Developers

On June 26, 2025, cybersecurity analysts revealed a serious flaw in the Open VSX Registry (“open-vsx[.]org”), which, if exploited, could allow attackers to seize control of the entire Visual Studio Code extensions marketplace. This represents a significant supply chain threat. “This vulnerability gives attackers total authority over the extensions marketplace and, consequently, over millions of developer machines,” stated Oren Yomtov, a researcher at Koi Security. “By leveraging a CI issue, a malicious actor could release harmful updates to every extension available on Open VSX.” After responsibly disclosing the issue on May 4, 2025, the maintainers proposed several fixes, culminating in a final patch on June 25. The Open VSX Registry, an open-source alternative to the Visual Studio Marketplace, is maintained by the Eclipse Foundation and is used by various code editors, including Cursor, Windsurf, Google Cloud Shell Editor, and Gitpod.

Mustang Panda’s Tibet-Focused Cyber Espionage Campaign Utilizes PUBLOAD and Pubshell Malware

Jun 27, 2025
Vulnerability / Cyber Espionage

A China-linked threat group known as Mustang Panda has been identified in a new cyber espionage operation targeting the Tibetan community. The spear-phishing attacks capitalize on Tibet-related themes, including the 9th World Parliamentarians’ Convention on Tibet (WPCT), China’s education policy in the Tibet Autonomous Region (TAR), and recent publications by the 14th Dalai Lama, as reported by IBM X-Force. Their cybersecurity division noted the campaign earlier this month, which involved the deployment of PUBLOAD, a known malware associated with Mustang Panda. They track this threat actor under the alias Hive0154. The attack vectors utilize Tibet-themed enticements to deliver a harmful archive containing a seemingly harmless Microsoft Word file, alongside articles from Tibetan websites and images from WPCT, ultimately tricking users into executing a disguised executable. This executable has been observed in previous Mustang Panda attacks…

Over 1,000 SOHO Devices Compromised in China-Linked LapDogs Cyber Espionage Operation

Jun 27, 2025
Threat Hunting / Vulnerability

Cybersecurity experts have uncovered a network of over 1,000 compromised small office/home office (SOHO) devices actively supporting an extensive cyber espionage campaign linked to China-based hacking groups. This operation, dubbed LapDogs by SecurityScorecard’s STRIKE team, reveals that victims are primarily located in the United States and Southeast Asia, with the network steadily expanding. Infections are also reported in Japan, South Korea, Hong Kong, and Taiwan, affecting sectors such as IT, networking, real estate, and media. The compromised devices include those from manufacturers like Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology. At the core of the LapDogs operation is a custom backdoor known as ShortLeash, specifically designed to facilitate these attacks.