Recommended reading

Another major MOVEit flaw could be on the way - here's what we know

News
By published

Someone knows something, and security researchers are picking up on the scent

Back view of hooded internet criminal hacking laptop in the dark, stealing credit card details
(Image credit: Shutterstock)
  • Security researchers see a significant increase in IP scans for MOVEit instances
  • This could signal a newly discovered vulnerability in the tool
  • Most scans are coming from the US, so be on your guard

‘Once bitten, twice shy’ the old saying goes, so when security researchers see hackers intensively scanning for MOVEit instances, it’s no wonder they’re sounding the alarm.

Threat intelligence outfit GreyNoise has reported a “notable surge” in the number of malicious scans for systems running Progress’ MOVEit Secure Managed File Transfer software.

Back in 2023, a major vulnerability was discovered in the software, which was quickly picked up by Cl0p - at the time an infamous Russian-based ransomware operation. The hackers abused the flaw to steal sensitive information on hundreds of organizations and millions of people - extorting their way to riches. Government agencies, healthcare firms, IT companies - were all affected.

Get 55% off Incogni's Data Removal service with code TECHRADAR

Get 55% off Incogni's Data Removal service with code TECHRADAR

Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

View Deal

IP volume steadily increasing

Even though the bug was squashed and most instances patched, threat actors continued scanning the wide web for potential victims. GreyNoise says that on an ordinary day, scanning was “minimal” with fewer than 10 IPs a day.

The researchers note on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28.

Since then, the daily IP volume never dropped below 200, and hovered around the 300 range. That, they believe, is evidence that someone knows something and is looking for an exploit.

Over the last 90 days, more than 600 unique IP addresses were linked to this campaign, a number which has been steadily increasing. Most of them are in the United States, with notable figures coming from Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.

Managed File Transfer tools, such as MOVEit, are popular among SMBs and enterprises, as they allow for a secure and seamless way to share important and often sensitive files.

This makes the tools a popular target, and besides Progress’ solution, others have been targeted as well, including GoAnywhereMFT, IBM Aspera Faspex, and others.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.