GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28.
Since that initial jump, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day — a significant deviation from baseline and an indicator that MOVEit Transfer is once again in the crosshairs.
These patterns often coincide with new vulnerabilities emerging two to four weeks later.
Key Findings
- 682 unique IPs have triggered GreyNoise’s MOVEit Transfer Scanner tag over the past 90 days.
- The surge began on May 27 — prior activity was near-zero.
- 303 IPs (44%) originate from Tencent Cloud (ASN 132203) — by far the most active infrastructure.
- Other source providers include Cloudflare (113 IPs), Amazon (94), and Google (34).
- Top destination countries include the United Kingdom, United States, Germany, France, and Mexico.
- The overwhelming majority of scanner IPs geolocate to the United States.
Confirmed Exploitation Attempts on June 12
GreyNoise also observed low-volume exploitation attempts on June 12, 2025, associated with two previously disclosed MOVEit Transfer vulnerabilities:
CVE-2023-34362
CVE-2023-36934
These events occurred during the period of heightened scanning and may represent target validation or exploit testing, but at this time, no widespread exploitation has been observed by GreyNoise.
Infrastructure Concentration Suggests Deliberate Scanning
A significant portion of scanner IPs are hosted by a small number of cloud providers:
- Tencent Cloud (ASN 132203) accounts for 44% of all scanner IPs.
- Other contributors include Cloudflare, Amazon, and Google.
This level of infrastructure concentration — particularly within a single ASN — suggests that the scanning is deliberate and programmatically managed, rather than random or distributed probing.
Defender Recommendations
Organizations should take the following steps:
1. Dynamically block malicious and suspicious IPs using GreyNoise:
2. Audit public exposure of any MOVEit Transfer systems.
3. Apply patches for known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934.
4. Monitor real-time attacker activity against MOVEit Transfer by navigating to each respective GreyNoise tag:
We will continue to monitor the situation and provide updates as necessary.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
