- Security researchers see a significant increase in IP scans for MOVEit instances
- This could signal a newly discovered vulnerability in the tool
- Most scans are coming from the US, so be on your guard
‘Once bitten, twice shy’ the old saying goes, so when security researchers see hackers intensively scanning for MOVEit instances, it’s no wonder they’re sounding the alarm.
Threat intelligence outfit GreyNoise has reported a “notable surge” in the number of malicious scans for systems running Progress’ MOVEit Secure Managed File Transfer software.
Back in 2023, a major vulnerability was discovered in the software, which was quickly picked up by Cl0p – at the time an infamous Russian-based ransomware operation. The hackers abused the flaw to steal sensitive information on hundreds of organizations and millions of people – extorting their way to riches. Government agencies, healthcare firms, IT companies – were all affected.
IP volume steadily increasing
Even though the bug was squashed and most instances patched, threat actors continued scanning the wide web for potential victims. GreyNoise says that on an ordinary day, scanning was “minimal” with fewer than 10 IPs a day.
The researchers note on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28.
Since then, the daily IP volume never dropped below 200, and hovered around the 300 range. That, they believe, is evidence that someone knows something and is looking for an exploit.
Over the last 90 days, more than 600 unique IP addresses were linked to this campaign, a number which has been steadily increasing. Most of them are in the United States, with notable figures coming from Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.
Managed File Transfer tools, such as MOVEit, are popular among SMBs and enterprises, as they allow for a secure and seamless way to share important and often sensitive files.
This makes the tools a popular target, and besides Progress’ solution, others have been targeted as well, including GoAnywhereMFT, IBM Aspera Faspex, and others.
Via The Hacker News
Leave a comment