InfoSecBulletin Cybersecurity for mankind
Cybersecurity researchers recently revealed a coordinated cloud-based scanning attack that targeted 75 different exposure points earlier this month.
On May 8, 2025, GreyNoise observed activity from 251 malicious IP addresses located in Japan and hosted by Amazon.
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
“These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity,” the threat intelligence firm said. “All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation.”
The scanning efforts have been found to have targeted a wide array of technologies from Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic, among others.
The operation involved attempts to exploit known vulnerabilities and identify weak spots in web infrastructure, suggesting that the threat actors were searching for any vulnerable system.
Adobe ColdFusion — CVE-2018-15961 (Remote code execution)
Apache Struts — CVE-2017-5638 (OGNL injection)
Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
Bash — CVE-2014-6271 (Shellshock)
Elasticsearch — CVE-2015-1427 (Groovy sandbox bypass and remote code execution)
CGI script scanning
Environment variable exposure
Git config crawlers
Shell upload checks, and
WordPress author checks
An interesting aspect is that the broad-spectrum scan was active only on May 8, with no noticeable change in the activity before or after the date.
GreyNoise reported that 295 IP addresses were scanned for CVE-2018-15961, 265 for Apache Struts, and 260 for CVE-2015-1427. Among these, 262 IPs were common between ColdFusion and Struts, and 251 IPs were shared across all three scans.
“This level of overlap points to a single operator or toolset deployed across many temporary IPs — an increasingly common pattern in opportunistic but orchestral scanning,” GreyNoise said.
Organizations must promptly block the malicious IP addresses to reduce the threat, but follow-up attacks may come from different sources.
