Cybersecurity researchers revealed details of tailored cloud-based scanning activities targeting 75 different “exposure points” earlier this month.
The activities observed by Greynoise on May 8, 2025 were all globalized to Japan, including as many as 251 malicious IP addresses hosted by Amazon.
“These IPSs triggered 75 different behaviors, including CVE exploits, misconfiguration probes and reconnaissance activities,” the threat intelligence company said. “All IPs are silent before and after the surge, indicating a temporary infrastructure challenge for a single operation.”
Scanning efforts have been found to target a wide range of technologies, including Adobe Coldfusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle Weblogic.
Opportunistic operations show that threat actors were indiscriminately searching for susceptible systems, ranging from known attempts to exploit CVEs to false mining of web infrastructure and other weakness probes.
Adobe ColdFusion – CVE-2018-15961 (Remote Code Execution) Apache Struts – CVE-2017-5638 (OGNL Injection) Atlassian Confluence – CVE-2022-26134 (OGNL Injection) BASH – CVE-2014-6271 Remote Code Execution) CGI Script Scan Environment Variable Exposure Git Configuration Crawler Shell Upload Check, and WordPress Author Check
An interesting aspect is that the broad spectrum scan is only active on May 8th, with no significant changes to the activity before and after the date.
Greynoise said that 295 IP addresses were scanned on CVE-2018-15961, 265 IPs on Apache Struts and 260 IPs on CVE-2015-1427. Of these, 262 IPs overlapped between cold fusion and struts, and 251 IPs overlapped all three vulnerability scans.
“This level of overlap refers to a single operator or set of tools deployed on many temporary IPs. This is an opportunistic yet increasingly common pattern in orchestra scans,” says Greynoise.
To mitigate activity, organizations need to block malicious IP addresses immediately, but be aware that follow-up exploitation can arise from different infrastructures.
Source link
