Since the end of May 2023, there has been a significant increase in scanning activities targeting systems that utilize Progress MOVEit Transfer. These activities highlighted potential threats and underscored the necessity for security teams to act proactively. Initially observed by GreyNoise starting May 27, 2023, the scanning activity surged dramatically. It leaped to over 100 scanning IP addresses daily, notably peaking at 319 IPs on May 28. This surge stood in stark contrast to the minimal activity recorded before these dates. Although the United States is a primary source, the scans originate from eight other countries as well, pointing to a widespread scope of interest. This uptick, characterized as “intermittently elevated,” maintained a rate of 200 to 300 IPs per day after May 28, deviating substantially from earlier patterns. The increase is linked to known vulnerabilities—CVE-2023-34362 and CVE-2023-36934—that have been exploited by organizations like the ransomware group Clop, making this a critical issue for over 2,800 affected entities.
Understanding the Surge in Scanning Activity
The surge in scanning activity for MOVEit systems signals more than just a technical anomaly; it represents a shift in the cybersecurity landscape. The vulnerabilities CVE-2023-34362 and CVE-2023-36934 have proven irresistible for cybercriminals, particularly targeting unpatched systems. As of now, over 2,800 organizations have reported varying data breach extents. International scanning efforts from countries aside from the USA show an increased global interest. This attention requires companies worldwide to minimize exposure and anticipate potential attacks. Experts like T. Frank Downs from BlueVoyant suggest that AI advancements present security teams with an opportunity to bolster defenses through increased visibility, inadvertently revealing potential attacker intentions. In light of evolving threats, security measures must involve constant system updates to prevent ransomware groups from exploiting these vulnerabilities. Collaborative technological tools such as Software Composition Analysis (SCA) can aid in recognizing and addressing potential threats, emphasizing the role of technology in safeguarding organizational infrastructure.
Proactive Measures and Mitigation Strategies
Given the current threat landscape, proactive strategies are not just advisable—they are essential. Shane Barney from Keeper Security emphasizes that while increased scanning may not immediately point to exploitation, it does indicate that threat actors are vigilant for any unpatched systems. This historical precedent of MOVEit vulnerabilities accentuates the need for 24/7 monitoring and proactive measures. Applying patches regularly, restricting system exposure, and implementing stricter privileged access controls are crucial. Maintaining updated systems can prevent new vulnerabilities from being exploited. Recognizing scanning patterns allows for early detection of threats, offering a preemptive advantage against potential attacks. By leveraging these early warning signs, organizations can strengthen their defenses and significantly diminish the chances of successful exploits. In a rapidly advancing technological age, the convergence of AI-driven capabilities and strategic cybersecurity measures provides a roadmap for efficiently navigating emerging threats and ensuring the steadfast security of sensitive data and systems.
Navigating the Future Threat Landscape
Since late May 2023, there’s been a notable rise in scanning activities aimed at systems using Progress MOVEit Transfer. This surge underscores potential threats, highlighting an urgent need for security teams to take preemptive measures. GreyNoise initially observed these activities on May 27, 2023, with a dramatic increase leading to over 100 scanning IP addresses daily, peaking at 319 on May 28. This marked a stark contrast to the minimal activity seen prior. Though primarily originating from the United States, these scans also come from eight other countries, suggesting widespread global interest. Post-May 28, this “intermittently elevated” activity remained at 200 to 300 IPs daily, significantly deviating from earlier trends. The increase is tied to vulnerabilities CVE-2023-34362 and CVE-2023-36934, exploited by groups like the ransomware entity Clop. This situation is critical for over 2,800 affected organizations needing to address these vulnerabilities promptly to mitigate potential risks and harms.
