Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct “exposure points” earlier this month.
The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon.
“These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity,” the threat intelligence firm said. “All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation.”
The scanning efforts have been found to have targeted a wide array of technologies from Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic, among others.
The opportunistic operation ranged from exploitation attempts for known CVEs to probes for misconfigurations and other weak points in web infrastructure, indicating that the threat actors were looking indiscriminately for any susceptible system
Adobe ColdFusion — CVE-2018-15961 (Remote code execution)
Apache Struts — CVE-2017-5638 (OGNL injection)
Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
Bash — CVE-2014-6271 (Shellshock)
Elasticsearch — CVE-2015-1427 (Groovy sandbox bypass and remote code execution)
CGI script scanning
Environment variable exposure
Git config crawlers
Shell upload checks, and
WordPress author checks
An interesting aspect is that the broad-spectrum scan was active only on May 8, with no noticeable change in the activity before or after the date.
GreyNoise said 295 IP addresses were scanned for CVE-2018-15961, 265 IPs for Apache Struts, and 260 IPs for CVE-2015-1427. Out of these, 262 IPs overlapped between ColdFusion and Struts and 251 IPs overlapped across all the three vulnerability scans.
“This level of overlap points to a single operator or toolset deployed across many temporary IPs — an increasingly common pattern in opportunistic but orchestral scanning,” GreyNoise said.
To mitigate the activity, organizations are required to block the malicious IP addresses immediately, although it bears noting that follow-up exploitation may emanate from different infrastructures.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
“}]] The Hacker News
