GreyNoise Warns of Surge in MOVEit Scanning Activity
GreyNoise has reported a surge in scanning activity targeting MOVEit Transfer systems, with a significant increase in unique IPs detected since May 27, 2025. The activity, which could be laying the groundwork for renewed targeting, has been observed across various cloud infrastructure providers.
From May 27 to June 24, GreyNoise detected 682 unique IPs undertaking qr code scanner activity. The overwhelming majority of these IPs were geolocated to the US. The most active infrastructure used was Tencent Cloud, accounting for 44% of the detected IPs, followed by Cloudflare (17%), Amazon (14%), and Google (5%).
GreyNoise observed two low-volume exploitation attempts on June 12, 2025, associated with two known SQL injection vulnerabilities (CVE-2023-34362 and CVE-2023-36934). These attempts were part of coordinated my activity against MOVEit Transfer systems in recent weeks, conducted through high-volume email campaigns originating from hundreds of compromised email accounts. The scanning activity is believed to be laying the groundwork for potential future attacks.
MOVEit customers are advised to take proactive measures to protect their systems. This includes blocking malicious IPs, auditing system exposure, applying patches, and monitoring real-time attacker activity. Despite the increase in scanning activity, no widespread exploitation of MOVEit Transfer systems has been observed at this time.
Read also:
- China's Automotive Landscape: Toyota's Innovative Strategy in Self-Driving Vehicles
- Strengthening Defense Against Combined Cyber Threats during the Age of Technological Autocracy
- Nissan Fortifies Supply Chain and Cybersecurity with KPMG, PwC Partnerships
- Enlarged Financial Plan of MGM Osaka Integrated Resort Surpasses $10 Billion Mark
