On May 8, 2025, cybersecurity analysts at GreyNoise identified a large-scale and tightly coordinated scanning campaign that swept across 75 known exposure points on the internet—all within a 24-hour window.
The operation was launched using 251 unique IP addresses, all geolocated to Japan and hosted by Amazon Web Services (AWS).
These IPs were inactive before and after the campaign, indicating the likely use of temporary, rented cloud infrastructure to carry out the scan and then disappear—a tactic often seen in professional, stealthy attacks.
Instead of random, opportunistic probing, this was a targeted operation, carefully mapped out and likely automated, suggesting it was centrally planned using custom tooling or orchestration scripts.
The attackers were not just scanning at random—they were actively probing for known vulnerabilities and misconfigurations across a wide range of commonly deployed enterprise systems. GreyNoise detected 75 distinct behaviors as part of the campaign, including:
Exploitation Attempts for Known CVEs:
- Adobe ColdFusion – CVE-2018-15961 (Remote Code Execution)
- Apache Struts – CVE-2017-5638 (OGNL Injection)
- Elasticsearch – CVE-2015-1427 (Groovy Sandbox RCE)
- Atlassian Confluence – CVE-2022-26134 (OGNL Injection)
- Bash (Shellshock) – CVE-2014-6271
Other Activities:
- Scanning for vulnerable CGI scripts
- Exposing environment variables
- Checking for leaked
.gitdirectories or config files - Attempting shell uploads
- Performing WordPress author enumeration (to prepare for brute-force or privilege escalation)
For example, the tag “ColdFusion RCE Attempt” would be triggered if GreyNoise detects exploit traffic like this in HTTP requests:
POST /cfide/adminapi/base.cfc?method=login HTTP/1.1
Host: vulnerable-server
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
cfcPath=../../../../../../../../etc/passwd
This request tries to access system files using directory traversal, a clear sign of an attack attempt.
Recommended Defensive Actions
- Monitor for GreyNoise tags associated with known CVEs
- Block AWS-sourced scanning activity where appropriate
- Review logs for abnormal HTTP requests or access attempts
- Patch systems affected by the listed CVEs
- Harden public-facing apps against common misconfigurations
Risk Factors
| Risk Factor | Description | Severity | Mitigation |
|---|---|---|---|
| Legacy CVEs | Old, unpatched flaws still being targeted | High | Patch regularly, scan for vulns |
| Edge Infrastructure | Tools can scan wide areas quickly | High | Audit systems, segment networks |
| Cloud IP Rotation | Attackers use throwaway IPs to bypass blocks | Medium | Use dynamic blocking, threat intel |
| Misconfig Scans | Looks for weak setups and leaked settings | Medium | Harden configs, monitor constantly |
| Broad Recon | Attackers hit any weak point, not just one | High | Assess overall security posture |
| Automation & Orchestration | Attacks run fast using single toolsets | High | Automate detection |
The May 8 campaign shows how fast and advanced cloud-driven attacks have become. Organizations need to:
- Patch known CVEs
- Use real-time threat intelligence
- Monitor edge and legacy systems closely
These types of scans often come just before major zero-day exploits, so acting quickly is key to staying secure.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
![Nifty[.]com Infrastructure Exploited in Phishing Attack](https://firsthackersnews.com/wp-content/uploads/2023/10/Phishing-Attacks_-Recognize-and-Avoid-Email-Phishing-1-500x383.jpg)
Leave A Comment