Latest news with #MOVEitTransfer
Forbes
3 days ago
- Forbes
Potential Cyber Threat Emerges As MOVEit Scanning Accelerates
Scanning activity targeting MOVEit Transfer systems surges globally, raising fears of another ... More widespread exploitation campaign. Progress Software's MOVEit Transfer system is back in the cybersecurity spotlight — and not for good reasons. New telemetry from GreyNoise shows a sharp and sudden surge in scanning activity, raising fears that attackers may be preparing for a fresh wave of exploitation, echoing the mass compromise campaigns of 2023. A Sudden Shift That Demands Attention On May 27, GreyNoise recorded a striking jump in the number of unique IPs probing MOVEit Transfer systems. Scanning activity, previously hovering below 10 IPs per day, skyrocketed to over 100. The next day, it surged to 319. Since then, daily scans have remained high, fluctuating between 200 and 300 unique IPs — a pattern that GreyNoise calls a 'significant deviation' from baseline behavior. These aren't just idle scans. Nearly half of the probing IPs — 44% — are associated with Tencent Cloud. Others originate from Amazon AWS, Cloudflare, and Google Cloud, platforms often abused for mass-scale reconnaissance due to their ease of access and global reach. The scans are originating primarily from the United States, but also span Germany, Japan, Singapore, Brazil, and other countries. The targets are globally distributed, with GreyNoise noting attempted access across the UK, Germany, France, and Mexico. Echoes of 2023 MOVEit Transfer made headlines just a couple years ago when a critical SQL injection vulnerability (CVE-2023-34362) was exploited by the Cl0p ransomware group. That zero-day led to breaches at hundreds of organizations, including government agencies and major corporations. The attackers used automated scanning and mass exploitation to infiltrate unpatched instances at scale. The current surge raises concerns that we may be witnessing a similar prelude. Attackers are known to conduct broad reconnaissance to identify unpatched or misconfigured systems before launching widespread attacks. GreyNoise's detection of sustained scanning over multiple weeks — rather than a short spike — suggests that reconnaissance is ongoing, possibly automated, and potentially linked to active threat actors preparing an operation. But not all experts see this as a clear sign of an imminent threat. 'The increase in scanning activity targeting MOVEit Transfer systems is worth monitoring, but doesn't necessarily indicate imminent or widespread exploitation,' said Shane Barney, CISO at Keeper Security. 'This type of behavior often reflects opportunistic threat actors probing for unpatched systems – not necessarily a sophisticated adversary.' Still, Barney acknowledged the high stakes: 'The MOVEit vulnerabilities have a history of being exploited at scale, with significant consequences, so organizations must remain vigilant.' What to Do Now Security leaders should act now, not later. Here's what should be prioritized: Nivedita Murthy, senior staff consultant at Black Duck, emphasized that attackers are quick to capitalize on lapses in patching. 'Attackers are exploiting a vulnerability in outdated versions of MOVEit Transfer, emphasizing the importance of keeping software up-to-date with the latest patches,' she said. Murthy also noted the growing role of automation in these campaigns: 'With the help of AI, attackers can automate a lot of their tasks and run attacks faster while making them harder to detect.' She recommends a layered defense, starting with visibility: 'Security teams should inventory all instances of the software using SCA tools, implement additional controls such as authentication and authorization, and regularly scan their software inventory for risks.' Maintaining accurate Software Bills of Materials, she added, is also critical to managing risk and 'helps confidently unleash business innovation in an era of accelerating risk.' Cloud Platforms as Recon-as-a-Service There's also a broader trend at play: cloud infrastructure is now a top tool for adversaries. Spinning up virtual machines on public cloud services takes minutes and costs pennies. That makes them perfect for running scanning scripts or launching low-and-slow enumeration attacks while obscuring true attribution. Tencent Cloud's appearance in this story is notable, not because the company is complicit, but because of the volume. With nearly half of scanner IPs traced back to Tencent's ASN, it's clear adversaries see value in its global footprint and accessibility. This development calls for better coordination between cloud providers and the security community to detect, report, and tear down abuse infrastructure before it's weaponized. A Warning, Not Yet a Breach While the scanning activity may not yet point to a coordinated exploit campaign, the patterns are uncomfortably familiar. Last year's MOVEit breaches didn't start with explosions — they started with quiet reconnaissance. 'Ensuring patches are applied, systems aren't unnecessarily exposed, and privileged access is tightly controlled are all foundational steps that help reduce risk,' Barney advised. 'While cybercrime groups may attempt to speed up and scale campaigns with automation or AI, core defense strategies remain the same: establish a zero-trust architecture, manage privileged access, and use real-time threat detection.' This isn't cause for panic…yet. But it is a call to be prepared. Threat actors are scanning. Whether or not they act depends, in part, on whether defenders leave the door open.
Forbes
08-04-2025
- Business
- Forbes
Clop Ransomware Hack Of WK Kellogg Shows Growing Threat To Your Data
RANSOMWARE digital text, word, data security threat. Ransomware concept, banner. 3D render Today, personal information flows through countless digital systems, and a single vulnerability can expose the data of thousands—or even millions—of individuals. That is exactly what is happening now with a ransomware group called Clop, which is behind one of the most aggressive cybercrime waves in recent memory. Clop has been exploiting vulnerabilities in Cleo, a popular file transfer software used by over 4,000 organizations worldwide, including its latest victim, WK Kellogg Co.—the American food giant behind brands like Froot Loops, Corn Flakes, and Frosted Flakes. In a recent notification, WK Kellogg confirmed that attackers gained unauthorized access to servers used to transfer sensitive employee files. Among the data stolen were names and Social Security numbers—details that can be used for identity theft, fraud, and more. This breach is not an isolated incident. Clop has published a list of over 66 affected companies on its dark web extortion site, threatening to leak stolen data unless ransom demands are met. The leaked information often includes personal customer or employee data, putting everyday people at risk—whether or not they have ever heard of Cleo or Clop. The Clop group has a history of targeting file transfer tools; in 2023, they exploited a zero-day vulnerability in the MOVEit Transfer software, impacting over 300 organizations and compromising the personal data of approximately 93.3 million individuals. Similarly, in 2021, Clop exploited vulnerabilities in Accellion's File Transfer Appliance, leading to data breaches at multiple organizations, including the Reserve Bank of New Zealand and the University of California system. This type of ransomware does not rely on victims clicking malicious emails or attachments. Instead, attackers actively search for and exploit weaknesses in trusted enterprise software to gain access to sensitive data. It is easy to assume that large-scale cyberattacks only affect corporations, but the truth is the consequences often trickle down to individuals. When ransomware groups like Clop breach major companies, they do not just steal internal documents—they often walk away with sensitive personal data belonging to employees, vendors, and customers. This information can include names, addresses, phone numbers, email addresses, and, in many cases, Social Security numbers or other government-issued IDs. Once stolen, this data becomes a tool for cybercriminals to commit identity theft, financial fraud, and phishing scams. Your SSN, for example, can be used to open new credit cards, take out loans in your name, or file fraudulent tax returns—often without you realizing it until the damage is done. What makes these breaches even more dangerous for home users is that the fallout does not always happen right away. Hackers often sit on the stolen data for months before leaking or selling it on the dark web. By the time your information is being misused, the company may have long since issued its public breach notification, and you might never connect the fraud to the original incident. Even if you have never heard of the company that was breached, your personal data could still be involved if your employer, healthcare provider, or service vendor uses the compromised platform or software. While you cannot stop ransomware attacks targeting large companies, there is a lot you can do to protect yourself from the fallout. Here are practical steps every home user should take: Use tools like to find out if your email or phone number has appeared in known data breaches. If a company you do business with has been breached, monitor your email or physical mail for official notices—especially from banks, healthcare providers, or your employer. If a breach involves personal information like your Social Security number, enroll in free identity protection services if offered. Companies like WK Kellogg often partner with providers like Kroll to help affected individuals. Also, consider placing a fraud alert or even a security freeze with the three major credit bureaus: Equifax, Experian, and TransUnion. After a breach, scammers may impersonate the affected company to trick you into clicking malicious links. Always verify suspicious messages by visiting the company's official website or contacting their customer support directly—never trust links in unsolicited emails or texts. Change your passwords for any accounts linked to the breach. Use a password manager to create strong, unique passwords for every site. Always enable MFA where available for added protection. Cybercriminals exploit outdated software. Regularly update your devices, browsers, and apps to fix security holes.
