The number of unique IPs-per-day scanning Progress MOVEit Transfer systems spiked to more than 100 on May 27, followed by 319 on May 28, according to threat intelligence company GreyNoise.The spike was significant because prior to May 27, GreyNoise said scanning for MOVEit Transfer apps was minimal, typically fewer than 10 IPs-per-day. The vast majority of the IPs observed were from the United States, but IPs in eight other countries were targeted.“Since that initial jump, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs-per-day, a significant deviation from baseline and an indicator that MOVEit Transfer is once again in the crosshairs,” said GreyNoise.The company also observed low-volume exploitation attempts on June 12 associated with two previously disclosed MOVEit Transfer flaws: CVE-2023-34362 and CVE-2023-36934.Attacks on the popular MOVEit Transfer file transfer app by the ransomware group Clop were first reported in the spring of 2023. Emsisoft reported that nearly 2,800 organizations were affected, many with serious data exfiltration incidents.T. Frank Downs, senior director of proactive services at BlueVoyant, said while it’s always essential for security teams to remain vigilant against potential attacks, we should view the current surge in scanning activity on MOVEit Transfer systems as an important early warning.“The potential involvement of AI in these processes may account for the increased visibility and activity levels, as AI can enhance efficiency, but sometimes lacks the nuanced judgment of human input,” said Downs. “For instance, AI-driven coding can sometimes miss basic security design principles in its pursuit to meet functional requirements. Similarly, AI used by potential attackers could be creating detectable patterns, such as the rise in scanning activity.”Downs added that this conspicuous scanning activity could signal an opportunity for security teams: Attackers using AI may inadvertently telegraph their intentions, providing defenders with valuable lead time to fortify defenses. He said security teams should take advantage of this heads-up by ensuring systems are patched and ready for potential exploitation attempts.Nivedita Murthy, senior staff consultant at Black Duck, pointed out that attackers are exploiting a vulnerability in outdated versions of MOVEit Transfer, emphasizing the importance of keeping software up-to-date with the latest patches.“Attackers are always on the lookout for unpatched and older versions of software to take advantage of,” said Murthy. “With the help of AI, attackers can automate a lot of their tasks and run attacks faster while making them harder to detect. To prevent such attacks, security teams should inventory all instances of the software using SCA tools, implement additional controls such as authentication and authorization, and regularly scan their software inventory for risks.”Shane Barney, chief information security officer at Keeper Security, said the increase in scanning activity targeting MOVEit Transfer systems is worth monitoring, but doesn’t necessarily indicate imminent or widespread exploitation. Barney said this type of behavior often reflects opportunistic threat actors probing for unpatched systems – not necessarily a sophisticated adversary. “That said, the MOVEit vulnerabilities have a history of being exploited at scale, with significant consequences, so organizations must remain vigilant,” said Barney. “Ensuring patches are applied, systems aren’t unnecessarily exposed and privileged access is tightly controlled are all foundational steps that help reduce risk.”
Vulnerability Management, Patch/Configuration Management, Threat Intelligence
MOVEit Transfer systems scans jump significantly
(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds