MOVEit Under Attack Again: Your 48-Hour Action Plan
- Kirk M. Anderson, MBA, CISSP, CISM, PMP
- Jul 15
- 6 min read
682 IP addresses are hunting for your MOVEit systems right now. If you're running this file-sharing software, you have approximately 2-4 weeks before the next major ransomware wave hits.
⚠️ TL;DR
MOVEit is an enterprise file transfer software application that was breached in 2023 and is under active scanning again.
3,000% spike in scanning activity since May 27, 2025 (verified by GreyNoise Intelligence)
682 unique attacker IPs identified over 90 days (verified by GreyNoise Intelligence)
44% of attacker infrastructure traced to Tencent Cloud (verified by GreyNoise Intelligence)
This pattern matches the lead-up to the $75-100M Clop ransomware attacks (verified by security research)
Time-frame to action: estimated 2–4 weeks before potential exploitation (based on historical patterns)
A prevention effort estimated at $2K could avoid $4.88M+ in average breach costs (illustrative based on industry data)
What Happened: The 2023 Playbook Is Repeating
Last year, hackers exploited a vulnerability in MOVEit file-sharing software to compromise over 2,000 organizations and extort between $75-100 million in ransoms (verified by security research and industry reports). The Clop ransomware group caused regulatory chaos worldwide and triggered widespread mandatory breach notifications.
It appears to be happening again.
What's happening: Think of it like this; before burglars break into houses, they drive through neighborhoods repeatedly looking for easy targets: unlocked doors, open windows, houses with no security systems. That's what's happening to MOVEit systems right now.
Since May 27, 2025, cyber criminals have been systematically "driving through the internet" looking for organizations that use MOVEit software. This digital reconnaissance has jumped from fewer than 10 attempts per day to over 300 daily probes. 682 different criminal groups or individuals have been scanning for vulnerable MOVEit systems over the past 90 days, according to verified threat intelligence from GreyNoise and reported by Infosecurity Magazine.
44% of this criminal activity traces back to Tencent Cloud, with additional activity from other major internet providers like Cloudflare (17%), Amazon (14%), and Google (5%) (data verified by GreyNoise Intelligence). This level of coordination suggests organized, systematic targeting, not random attempts.
Security researchers note this pattern of digital casing typically precedes actual break-ins by 2-4 weeks giving criminals time to map out their targets before striking.
If that timeline sounds familiar, it should. It's the exact sequence that preceded the 2023 attacks that devastated thousands of organizations. This isn't just IT noise. It's a warning siren.
Why It Matters: MOVEit Handles Your Sensitive Business Files
MOVEit is specialized file-sharing software large organizations use to securely send documents that are too sensitive, too large, or too regulated for regular email. Banks, hospitals, law firms, defense contractors, and government agencies use MOVEit to safely transfer documents that could destroy their business if they fell into the wrong hands:
Financial statements and audit reports
M&A documents and strategic plans
Legal contracts and regulatory filings
Customer databases and HR records
Partner communications and competitive intelligence
Think of it as armored car service for your digital crown jewels. The documents so sensitive you can't just email or put on a standard file-sharing service. When attackers breached MOVEit systems in 2023, they didn't just steal random files. They extracted the strategic information from entire organizations. Board meeting minutes, acquisition targets, pricing strategies, and customer lists all became extortion material. The same playbook is unfolding again. And if your MOVEit system is exposed or unpatched, you're in the crosshairs.
Business Impact: Beyond IT: This Is Strategic Risk
Let's break this down in terms that matter to business leaders:
Operational Disruption
Attackers can steal your confidential documents while they're being sent to partners or clients, meaning sensitive deals could become public before anyone notices. This could paralyze negotiations, halt regulatory submissions, and destroy trust.
Revenue at Risk
When your competitive intelligence and customer data become public extortion material bad actors can leverage, you don't just lose the current deal. You lose future market position. The 2023 victims are still dealing with customer churn and competitive disadvantage.
Regulatory Avalanche
A MOVEit compromise triggers a cascade of mandatory reporting requirements across multiple jurisdictions. The 2023 breaches resulted in extensive regulatory notifications and compliance obligations worldwide.
Legal reality: Ignoring this documented threat pattern isn't just risky—it may be legally indefensible when shareholders and regulators ask why you didn't act on clear warning signals.
Executive Action: 3 Critical Questions
You don't need to be a cybersecurity expert, but you do need answers to these questions this week:
1. Is MOVEit Exposed to the Internet?
If yes, you're likely being scanned already. Every day of exposure increases compromise probability.
2. Are All Vulnerabilities Patched?
Specifically: CVE-2023-34362 and CVE-2023-36934. These are the exact flaws attackers tested on June 12, 2025, according to verified GreyNoise observations.
In plain English: CVEs are technical IDs for known specific security flaws hackers know how to exploit. If your MOVEit system hasn't been updated to fix these flaws, your organization is vulnerable.
3. Can We Detect an Active Breach?
Can your security team tell if someone is stealing large amounts of data or accessing files they shouldn't? This includes spotting (continuous monitoring) unusual downloading activity or unauthorized people (access control) getting into the system.
If your team can't confidently answer all three today, your organization is at risk.
Timeline: Your Window Is Shrinking
Current Phase: Reconnaissance (Now)
Right now, attackers are in reconnaissance (research) mode mapping vulnerable systems and testing exploits.
Historical Pattern: 2-4 Week Timeline
Historical analysis of the 2023 MOVEit campaign shows mass compromise typically follows this scanning phase by 2-4 weeks (based on verified security research patterns). Security researchers expect the same timeline now, based on observed patterns.
Every Day You Delay:
Increases your probability of compromise
Reduces your ability to detect attacks early
Shrinks your incident response options
Compounds potential regulatory penalties
Time is not neutral. It's working against you.
The Business Case: A Prevention Investment vs. Massive Potential Loss
Let's examine the return on investment using verified industry data:
Cost to Act Now (Illustrative Estimate)
Full MOVEit security audit: 4-8 hours of IT time
Estimated labor cost: ~$2,000 (calculated at $250/hour loaded rate)
Patching and hardening: Minimal additional cost
Cost of Breach (Based on Verified Industry Data)
Average data breach costs: $4.88 million (IBM Cost of a Data Breach Report 2024)
Potential ransom demands: $75-100M (based on verified 2023 Clop campaign earnings)
Detection and response time: Industry averages suggest weeks to months
Regulatory fines and legal costs: Highly variable but potentially massive
Competitive damage: Immeasurable and long-lasting
ROI Calculation
Investing approximately $2,000 today to avoid multi-million dollar losses represents exceptional return on investment. Few business decisions offer this kind of mathematical advantage.
What You Should Do in the Next 48 Hours
Schedule a comprehensive MOVEit security review immediately. Given the documented 2-4 week exploitation window observed in historical campaigns, this timing is critical to business operations. Your security team should deliver a written assessment covering:
✓ Exposure Assessment: Where is MOVEit installed and is it accessible from the internet
✓ Patch Status: Whether all security updates have been applied to fix known vulnerabilities
✓ Access Controls: Confirmation MOVEit is properly isolated from other systems and only authorized people can access it
✓ Monitoring Capabilities: Ability to detect if someone is stealing data or accessing files inappropriately
✓ Response Planning: Updated emergency response plans specifically for file system breaches
The Executive Follow-Up Question:
"If MOVEit is compromised tomorrow, what's our maximum data exposure and regulatory notification timeline?"
This question forces your team to think beyond technical fixes to business impact. Their answer will tell you everything about your real-world risk posture.
The Bottom Line: Clarity Over Fear
This isn't about cybersecurity paranoia. It's about business risk management with documented warning signals.
The threat is verified and active
The timeline is historically predictable
The preventive action is inexpensive
The cost of inaction is potentially catastrophic
Your Next Move
Forward this analysis to your CISO with this message:
"I need a comprehensive MOVEit risk assessment on my desk by close of business Thursday. Include our current exposure level, patch status, monitoring capabilities, and a clear answer to this question: If our MOVEit system is compromised, what's our worst-case data exposure and regulatory timeline? This isn't theoretical. 682 IP addresses are actively scanning for these systems right now, according to verified threat intelligence."
Want executive-level cybersecurity intelligence delivered every Monday? Subscribe to INP² Executive Brief →
Join business leaders who rely on INP² to translate complex security threats into actionable business intelligence. Get the context you need to make informed decisions before threats become headlines.
Next Monday: AI-powered business email compromise attacks and why traditional email security is failing.
Comments