Cybersecurity researchers have recently uncovered a significant cloud-based scanning operation that targeted various vulnerabilities in widely used technologies. This coordinated effort, which took place on May 8, 2025, involved 251 malicious IP addresses hosted by Amazon and geolocated to Japan. The scanning activity aimed at exploiting known vulnerabilities in systems such as Adobe ColdFusion, Apache Struts, and Elasticsearch, among others.

Key Takeaways

• Date of Activity: May 8, 2025

• Number of Malicious IPs: 251 Amazon-hosted IPs

• Targeted Technologies: Adobe ColdFusion, Apache Struts, Elasticsearch, and more

• Types of Attacks: CVE exploits, misconfiguration probes, reconnaissance activities

• Overlap of IPs: 262 IPs targeted both ColdFusion and Struts vulnerabilities

Overview of the Scanning Activity

The scanning operation was identified by GreyNoise, a threat intelligence firm, which reported that the malicious IPs exhibited 75 distinct behaviors, including attempts to exploit known Common Vulnerabilities and Exposures (CVEs) and probing for misconfigurations. Notably, all the IPs were inactive before and after the scanning event, suggesting they were temporarily rented for this specific operation.

The targeted technologies included:

• Adobe ColdFusion: CVE-2018-15961 (Remote code execution)

• Apache Struts: CVE-2017-5638 (OGNL injection)

• Atlassian Confluence: CVE-2022-26134 (OGNL Injection)

• Bash: CVE-2014-6271 (Shellshock)

• Elasticsearch: CVE-2015-1427 (Groovy sandbox bypass and remote code execution)

Analysis of the Attack Patterns

The scanning activity was characterized by a broad-spectrum approach, indicating that the threat actors were searching for any vulnerable systems across various platforms. The following types of scans were reported:

• CVE Exploits: Targeting known vulnerabilities in software

• CGI Script Scanning: Checking for vulnerable CGI scripts

• Environment Variable Exposure: Probing for sensitive information in environment variables

• Git Config Crawlers: Searching for exposed Git configurations

• Shell Upload Checks: Looking for potential shell upload vulnerabilities

• WordPress Author Checks: Scanning for weaknesses in WordPress installations

Implications for Organizations

The findings from this scanning activity highlight the importance of maintaining robust security measures. Organizations are urged to take immediate action by blocking the identified malicious IP addresses to prevent potential exploitation. However, it is crucial to note that follow-up attacks may originate from different infrastructures, necessitating ongoing vigilance and security assessments.

This incident serves as a reminder of the persistent threats posed by opportunistic scanning activities in the cybersecurity landscape. As attackers continue to leverage cloud infrastructure for their operations, organizations must remain proactive in their defense strategies to safeguard their systems against such vulnerabilities.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• 251 Amazon-Hosted IPs Used in Exploit Scan Targeting ColdFusion, Struts, and Elasticsearch, The Hacker News.