MOVEit Transfer Systems Targeted in Coordinated Global Attack Surge: What You Need to Know

Cyber threats rarely make headlines unless something big is brewing—like a sudden, global spike in attacks on a widely trusted system. That’s exactly what’s happening right now with MOVEit Transfer systems, which have been hit by an unprecedented wave of scans and attempted exploits from over 100 unique IP addresses in a single day. The numbers are jaw-dropping, but the bigger story isn’t just about data points: it’s about how attackers are evolving, what’s at stake for organizations worldwide, and—more importantly—what you can do to protect your most sensitive data.

If you’re responsible for your company’s cybersecurity, manage IT infrastructure, or simply want to understand the latest threat landscape, this post will walk you through the recent MOVEit attacks, why they matter, and what actionable steps you should consider right now.

Why Are MOVEit Transfer Systems Under Attack? (And Why Should You Care?)

Let’s start with the basics. MOVEit Transfer is a secure file transfer solution used by thousands of organizations—including Fortune 500 companies, government agencies, and healthcare providers—to move sensitive data safely between systems. Because these platforms often act as the “central nervous system” for high-value data exchanges, they’re irresistible targets for cybercriminals seeking mass data exfiltration and extortion opportunities.

But here’s the kicker: when attackers find a vulnerability in a platform like MOVEit, it’s not just one organization at risk—it’s the entire supply chain. A single weak link can open the door to compromise hundreds, or even thousands, of downstream partners and clients. That’s what happened during the MOVEit vulnerability exploit crisis in 2023, and we’re seeing signs that threat actors are testing the waters again.

A Sudden Tsunami: The Recent Surge in MOVEit Scanning Activity

From Routine to Red Alert: What Changed Overnight?

Until recently, MOVEit Transfer systems experienced minimal, background-level scanning—think of it like the digital equivalent of someone occasionally rattling your doorknob to see if you’re home. But on May 27, daily scans exploded past 100 unique IPs for the first time, according to GreyNoise, a respected threat intelligence firm.

Just one day later, that number more than tripled to 319 unique IPs.

Since then, the barrage hasn’t let up. Scan volumes have stayed elevated, fluctuating between 200 and 300 unique IPs each day—levels far above anything seen before. If you ran a graph of historical vs. current scanning activity, you’d see a hockey-stick-shaped spike that any IT security pro would find alarming.

By the Numbers: 90-Day Scanning Overview

682 unique IPs tagged for scanning MOVEit Transfer (past 90 days)
44% traced to Tencent Cloud infrastructure (ASN 132203)
Additional scanning sourced from Cloudflare, Amazon, and Google
Majority of scanning IPs geolocate to the United States
Targeted destinations include the US, UK, Germany, France, and Mexico

This isn’t random background noise—it’s coordinated, automated reconnaissance on a global scale.

Who’s Behind the Scanning? Decoding the Attack Infrastructure

Cloud Providers in the Crosshairs

One of the most telling signs of coordination is the centralization of scanning infrastructure. In this wave, nearly half of the scanning activity originates from Tencent Cloud (ASN 132203), with significant volume also coming from Cloudflare, Amazon Web Services, and Google Cloud.

Why does that matter? Major cloud providers allow attackers to rapidly spin up virtual machines and IP addresses, making it cheap and easy to launch scalable, distributed scanning campaigns while staying one step ahead of blacklists and firewalls.

Think of it like cyber “leasing”—instead of building their own infrastructure, attackers rent it from the world’s biggest cloud landlords.

Geolocation and Target Patterns

While the majority of scanning IPs geolocate to the United States, destinations are global. Organizations in the UK, Germany, France, and Mexico are all on the radar. Attackers aren’t picky—they go where the data lives.

Is This Just Noise, or Are Real Exploits Happening?

Low-Volume Exploitation Attempts Detected

On June 12, 2025, GreyNoise detected a small number of exploitation attempts against MOVEit systems—specifically targeting CVE-2023-34362 and CVE-2023-36934. These are not new vulnerabilities; they were at the core of last year’s high-profile breaches.

Here’s why that matters: Even though widespread exploitation hasn’t been observed (yet), the fact that attackers are probing for known flaws during this scan surge is a classic sign of reconnaissance ahead of potential mass attacks.

It’s like burglars casing the neighborhood, checking which houses still have the same old locks.

No Mass Exploitation… Yet

So far, there’s no evidence of a new, widespread breach. But history tells us that scanning activity often precedes exploitation—especially when attackers find unpatched systems.

The Human Cost: What’s at Stake for Organizations?

MOVEit’s Role in Secure File Transfers

MOVEit Transfer systems aren’t just another app—they’re trusted conduits for sensitive business, healthcare, and government data. That means a compromised MOVEit system can lead to:

Mass data theft (personal, financial, or medical records)
Supply chain compromise (your partners and clients become vulnerable)
Extortion campaigns (using stolen data as leverage)
Regulatory nightmares (GDPR, HIPAA, and other compliance fallout)

When attackers exploit one vulnerability in a MOVEit instance, they don’t just break into a single office—they potentially unlock the doors to a web of interconnected organizations. That’s why these attacks have such a far-reaching impact.

Real-World Consequences: The 2023 MOVEit Breach

Let’s not forget: The MOVEit vulnerability exploits of 2023 were linked to Lace Tempest (also known as the Clop ransomware group), which used custom web shells for data theft and then extorted victims by threatening to publish sensitive files.

Hundreds of organizations were affected globally.
Stolen data ended up on “leak sites,” creating public relations and compliance disasters.
The breach’s ripple effects are still being felt by downstream partners to this day.

Inside the Attackers’ Playbook: How Coordinated Reconnaissance Works

Automated Scanning: The Digital Equivalent of Drone Surveillance

Attackers rarely use manual methods for reconnaissance anymore. Instead, they leverage automation—scripts and bots that scan thousands of targets simultaneously, looking for vulnerable MOVEit endpoints and cataloging everything from version numbers to exposed ports.

Step 1: Launch a fleet of scanning “drones” from cloud servers (using diverse IPs to avoid detection).
Step 2: Map the internet for MOVEit Transfer instances, noting which ones might be vulnerable.
Step 3: If a vulnerable system is found, deploy an exploit (like those targeting CVE-2023-34362 or CVE-2023-36934).
Step 4: Exfiltrate data, install web shells, or set up ransomware payloads for later use.

This playbook is efficient, scalable, and unfortunately, increasingly common.

Why Centralization on Cloud Providers Is a Red Flag

When most scanning comes from a handful of cloud providers, it suggests more than just opportunistic hackers. Coordinated groups can automate reconnaissance at scale, quickly adapt to defenses, and even rotate IPs to evade blocklists. This level of sophistication points toward well-resourced threat actors—think ransomware gangs, not lone wolves.

Microsoft and the OSINT Community: Shedding Light on Threat Actors

Who Is Lace Tempest, and Why Are They Dangerous?

According to Microsoft’s analysis, much of the malicious activity targeting MOVEit Transfer has been attributed to Lace Tempest—an experienced group known for running the Clop ransomware extortion site.

Their modus operandi:

Find and exploit zero-day vulnerabilities in high-value platforms like MOVEit
Use custom web shells to maintain covert access and exfiltrate data
Leak stolen files to pressure organizations into paying ransoms

These aren’t “smash and grab” attacks—they’re calculated, high-return operations aimed at maximum impact.

The Role of Open Source Intelligence (OSINT)

Tools like GreyNoise, Shodan, and Censys enable defenders to see the big picture. By aggregating scan data, they help researchers spot trends, identify attack infrastructure, and even trace activity back to specific actors or campaigns. If you’re not already using these resources to augment your cyber defense, now’s the time to start.

How to Respond: Actionable Steps for MOVEit Transfer Defenders

Let’s get practical. If your organization uses MOVEit Transfer—or any other high-value file transfer system—what should you do right now?

1. Patch Immediately

Update MOVEit Transfer to the latest version. Vendor advisories often include critical security patches.
Check for available fixes related to CVE-2023-34362 and CVE-2023-36934.

2. Harden Your Perimeter

Restrict access to MOVEit Transfer systems (e.g., via VPN or IP allowlists).
Disable unnecessary services and ports.

3. Monitor for Suspicious Activity

Review logs for signs of unusual access or scan patterns.
Integrate threat intelligence feeds into your SIEM to detect activity from known malicious IPs.

4. Prepare for Incident Response

Have a response plan ready in case of breach or ransomware demand.
Back up MOVEit data securely and test your recovery processes.

5. Educate and Train Your Team

Make sure your IT and security teams understand the latest threats and response protocols.
Run tabletop exercises to simulate a MOVEit compromise scenario.

Here’s why that matters: The difference between a close call and a disaster often comes down to preparation.

Staying Proactive: The Bigger Cybersecurity Picture

The MOVEit surge is a symptom of a larger trend: attackers are getting faster, smarter, and more organized. But defenders have powerful tools, too—timely patching, layered defenses, robust monitoring, and threat intelligence can tip the odds in your favor.

Remember, security isn’t a one-time project—it’s a mindset. Attackers only need to succeed once; defenders have to be vigilant every day.

FAQ: MOVEit Transfer Attacks—What People Are Asking

What is MOVEit Transfer, and why is it a target?

MOVEit Transfer is a secure managed file transfer platform, trusted by large enterprises and government agencies to exchange sensitive data. It’s a high-value target because a single vulnerability can expose massive amounts of confidential information.

Who is behind the recent MOVEit attacks?

Much of the malicious activity has been attributed to Lace Tempest, a cybercriminal group known for operating the Clop ransomware site. However, many attacks are automated and may involve other threat actors using cloud infrastructure.

What vulnerabilities are being targeted?

The primary vulnerabilities are CVE-2023-34362 and CVE-2023-36934, both of which allow for remote code execution and data exfiltration if left unpatched.

How can organizations protect themselves from MOVEit attacks?

Patch MOVEit Transfer systems immediately.
Restrict internet access and implement allowlists.
Monitor for suspicious log activity.
Use threat intelligence services to block known malicious IPs.

Are there signs that my MOVEit system has been compromised?

Look for unexpected file transfers, unfamiliar user accounts, unauthorized web shell files, or connections from IPs associated with scanning activity.

Has there been a new mass exploitation event?

As of now, no mass exploitation is confirmed—only increased scanning and low-volume exploitation attempts. However, the risk remains high if vulnerabilities are not remediated.

Final Thoughts: Vigilance Is Your Best Defense

The current wave of MOVEit Transfer system scans is more than just digital background noise—it’s a warning bell. Attackers are probing, testing, and preparing for their next move. The organizations that fare best are those that take proactive, layered measures before disaster strikes.

Don’t wait for the headlines to hit your inbox. Assess your MOVEit security posture today, patch promptly, and keep learning. For more up-to-date analysis and expert insights, consider subscribing or exploring our deep-dive resources on secure file transfer and cyber defense.

Stay safe, stay vigilant, and remember: in cybersecurity, knowledge is your most valuable asset.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Why CISOs Are Turning to Managed Security Providers: The Skills Gap Dilemma

How Hackers Exploit Windows and Linux Server Vulnerabilities to Deploy Web Shells: What Every IT Pro Needs to Know

Is the CISO Role Now the Least Desirable Job in Business? Here’s What You Need to Know

18 Malicious Chrome and Edge Extensions Exposed: How Everyday Tools Became a Massive Privacy Threat

Ransomware Crisis at Nova Scotia Power: What the Attack Means for Customers and How to Stay Protected