Imagine waking up to find your business’s confidential files in the hands of cybercriminals demanding a ransom. For thousands of companies, that nightmare was real after the huge MOVEit Transfer breach in 2023.
Cybersecurity professionals are now warning of a new wave of scanning for MOVEit servers—an indication that attackers are on the hunt for weaknesses. This isn’t just an IT problem. Executives, risk managers, and anyone responsible for protecting data should pay attention. These attacks don’t just threaten software—they threaten people, reputations, and entire businesses.
What Is MOVEit Transfer and What Makes It So Significant?
MOVEit Transfer is a secure way of transferring large amounts of critical information. It is used by governments, banks, healthcare systems, and big businesses to transfer confidential information. That level of trust also makes it a prime target. If hackers find a weakness in MOVEit’s defenses, they can compromise data not from a single company, but dozens or hundreds—especially because many companies are utilizing third-party vendors behind the scenes that are utilizing MOVEit.
A Brief Flashback: The 2023 MOVEit Breach
Let’s examine it straightforwardly. In May 2023, a critical security vulnerability was discovered in MOVEit Transfer (CVE-2023-34362). It was exploited by attackers for SQL injection attacks, and it enabled them to exfiltrate plenty of data prior to anyone’s awareness of the issue.
The impact? More than 2,700 organizations worldwide were reported to be affected. Stolen data included financial records, personal identity documents, and important government records. High-profile victims like Shell, British Airways, and the U.S. Department of Energy had to acknowledge that they lost data.
Other estimates have put it at more than 62 million people’s personal information being revealed—and that’s just what we know about. The actual figure is probably larger since most companies won’t say just how severe the breaches were.
Why It Was So Bad: Supply Chain Domino Effect
One of the most egregious aspects of the MOVEit attacks was the way that it damaged the supply chain. Even organizations that were not direct users of MOVEit were affected because their suppliers were.
Consider a bank or hospital that outsources billing to a firm that uses MOVEit. If the firm gets hacked, your patients’ or customers’ information is vulnerable.
It was a harsh lesson: Your security is only as strong as your weakest partner.
What’s New Now: The Scanning Surge of 2025
Flash forward to 2025. Organizations such as GreyNoise have witnessed an all-time high in scans against MOVEit Transfer servers.
- Their daily scans increased from single-digit to over 300 per day.
- Scanning has remained at high levels for weeks.
- All of these scans are from some hundreds of IPs from numerous countries.
Why is that the case? The reason is, scanning is the initial wave of a cyberattack. The attackers do not attack victims randomly—the attackers methodically scan the internet for MOVEit-running networks, and then for vulnerabilities. In most instances, this wave of scanning happens just weeks prior to exploitation occurring. It’s akin to a burglar looking to see if houses have open doors.
It’s Not Just Old Bugs—New Flaws Keep Appearing
You might think, “Didn’t they fix this?” And Progress Software (MOVEit’s developer) did release emergency patches in 2023. But new vulnerabilities kept surfacing:
- CVE-2023-34362 – the initial zero-day.
- CVE-2023-36934 – another critical bug found months later.
- CVE-2024-5806 – found in mid-2024, enabling authentication bypass.
Attackers know many organizations patch slowly, if at all. That’s why they keep scanning for unpatched systems—even years later.
Who’s Behind These Attacks?
Attribution is never simple, but most security experts agree financially motivated criminal groups are likely behind most of it.
The 2023 MOVEit breach was pure extortion. Attackers didn’t quietly siphon data—they stole it openly and threatened to leak it unless ransoms were paid. Estimates suggested these criminal groups made between $75–100 million through MOVEit-related extortion.
Of course, nation-state hackers watch these vulnerabilities too. Even if they didn’t lead the 2023 attacks, they likely learned from them. Governments see supply-chain access as valuable for spying, just as criminals see it for profit.
MOVEit Reveals a Greater Issue: Supply Chain Weaknesses
MOVEit isn’t the only file-transfer software to suffer such attacks. Similar flaws in Accellion, GoAnywhere, and others have led to serious breaches in recent years.
The trend is clear:
- Attackers find zero-days in widely used software.
- They exploit them to breach entire supply chains.
- Even well-secured companies are vulnerable if their partners don’t patch.
That’s why supply chain security is now a board-level topic. If you don’t know how your vendors manage their security, you’re putting your own data at risk.
Signs Attackers Are Already Trying MOVEit
This latest scanning surge is not noise. Security firms have seen early signs of attempts to exploit MOVEit’s known vulnerabilities:
- Session hijacking without user logins, indicating stolen tokens.
- Attackers moving sessions across multiple IPs to avoid detection.
- LDAP queries map networks only once.
- Utilizing VPN to conceal actual locations.
These tactics showcase professional planning and organization. They’re not amateurs—they’re really well-organized, relentless, and persistent.
Don’t Be the Next Headline
The MOVEit scanning wave is a threat in plain sight: attackers have not forgotten this profitable target. They’re actively looking for the next set of unpatched servers.
But businesses don’t have to be victims. By patching quickly, reducing exposure, and adopting strong security practices, organizations can protect their own data—as well as that of partners, customers, and employees.
Cybersecurity isn’t just an IT responsibility. It’s about business survival.
Now is the time to act.
