Listen to this Post
In May 2025, cybersecurity researchers uncovered a sophisticated cloud-based scanning campaign that targeted 75 different exposure points across various web technologies. This activity, detected by GreyNoise, involved 251 malicious IP addresses primarily located in Japan and hosted by Amazon Web Services. The attackers launched probes to exploit vulnerabilities in widely used systems, from Adobe ColdFusion to Apache Struts, indicating a broad and opportunistic scanning strategy. Here’s a detailed breakdown of the findings and analysis of this operation.
Overview of the Incident
On May 8, 2025, GreyNoise observed a surge of scanning activities involving 251 distinct malicious IP addresses from Japan. These IPs were linked to Amazon cloud infrastructure, raising questions about temporary IP rentals for a single coordinated operation. The scanning activity focused on 75 different exposure points, including various high-profile vulnerabilities like CVE-2018-15961 in Adobe ColdFusion, CVE-2017-5638 in Apache Struts, and CVE-2015-1427 in Elasticsearch.
The attack method was notably opportunistic, with attackers looking for any weak spot in the systems they targeted. The scanning effort was diverse, covering not only CVE exploits but also misconfiguration probes and reconnaissance activities aimed at gathering information about potential weaknesses. Despite the large-scale nature of the scanning, all IP addresses were inactive both before and after the attack, suggesting that they were rented temporarily for this specific operation.
Notably, the operation on May 8 was a one-off event, with no observable activity before or after that day, which GreyNoise interprets as a sign of a single operation that might have been deployed across multiple IPs. The malicious IP addresses were involved in scanning for vulnerabilities in a wide range of systems, including:
Adobe ColdFusion — CVE-2018-15961 (Remote code execution)
Apache Struts — CVE-2017-5638 (OGNL injection)
Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
Bash — CVE-2014-6271 (Shellshock)
Elasticsearch — CVE-2015-1427 (Groovy sandbox bypass and remote code execution)
Other common weaknesses, such as CGI script scanning, environment variable exposure, Git config crawlers, shell upload checks, and WordPress author checks.
These vulnerabilities are highly critical, as they could lead to remote code execution, unauthorized access, and potential system compromise. The operation highlights an alarming trend of orchestrated, cloud-based scanning campaigns that focus on large-scale exploitation of known CVEs.
What Undercode Say:
Analyzing this operation offers a deeper understanding of the current threat landscape. The coordinated nature of the attack, involving numerous IP addresses and targeting a wide array of web infrastructure, underscores a growing trend in cyberattacks. This type of scanning is often the precursor to more targeted exploitation. Attackers typically use such operations to gather information on vulnerable systems before launching more focused attacks that could lead to major breaches or ransomware infections.
What makes this campaign particularly notable is the fact that all scanning activity occurred on a single day—May 8, 2025—suggesting a highly targeted, time-limited operation. The fact that these IP addresses were geolocated to Japan and hosted on Amazon’s infrastructure indicates the growing use of cloud services by cybercriminals, as it offers anonymity and scalable attack vectors. Temporary rental of IP addresses is becoming an increasingly common tactic, as it allows attackers to evade detection while carrying out malicious operations.
GreyNoise’s analysis of the overlapping IP addresses—many of which were found to be targeting multiple vulnerabilities—points to the use of automated tools and a high degree of orchestration. This level of coordination suggests the involvement of sophisticated threat actors who are increasingly using automated bots for mass vulnerability scanning and reconnaissance.
In light of these developments, it’s crucial for organizations to prioritize proactive measures to safeguard their infrastructure. Blocking known malicious IP addresses is an immediate defense, but companies must also focus on patching known vulnerabilities and ensuring proper configuration to prevent exploitation.
Fact Checker Results 📊
The targeted vulnerabilities are all well-documented and widely known, indicating the attackers were seeking easily exploitable systems.
The use of Amazon infrastructure highlights the increasing trend of attackers leveraging cloud services for anonymity and scalability.
GreyNoise’s conclusion about the overlapping IP addresses points to a single operation orchestrated by a single toolset, making it easier to defend against by blocking the identified IPs.
Prediction 🔮
This kind of scanning activity could become more frequent as cybercriminals continue to refine their methods. Given the growing reliance on cloud infrastructure, it’s likely that future attacks will use similar tactics to target more vulnerabilities in a variety of widely used web technologies. Additionally, organizations must be ready for the possibility of follow-up exploitation attempts originating from different infrastructures. Continuous monitoring and patching of known vulnerabilities, along with enhanced security measures like automated threat detection, will be key to mitigating the risks posed by such opportunistic campaigns.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
