Mass exploit scanning from japan-based aws ips targets coldfusion, struts, tomcat, elasticsearch, weblogic, & more

On May 8, 2025, a highly coordinated cloud-based scanning operation was observed by GreyNoise, involving 251 malicious IP addresses hosted on Amazon Web Services (AWS) and geolocated to Japan. This surge targeted 75 known exposure points in web infrastructure, indicating a well-orchestrated reconnaissance campaign likely conducted using temporarily rented infrastructure.

Severity Level: High

THREAT OVERVIEW:

1. Scope of Attack: 251 malicious IPs triggered 75 distinct scanning behaviors, spanning exploit attempts, reconnaissance, and misconfiguration probes.
2. Targeted Vulnerabilities & Technologies:
3. The scan encompassed technologies such as Adobe ColdFusion, Apache Struts, Elasticsearch, Atlassian Confluence, Bash, WebLogic, Drupal, Tomcat, and WordPress, among others. Notable CVEs targeted included:
   • CVE-2018-15961: Adobe ColdFusion Remote Code Execution
   • CVE-2017-5638: Apache Struts OGNL Injection
   • CVE-2015-1427: Elasticsearch Groovy Sandbox Bypass Remote Code Execution
   • CVE-2022-26134: Atlassian Confluence OGNL Injection
   • CVE-2014-6271: Bash Shellshock Vulnerability
4. Reconnaissance Techniques: The attackers performed WordPress author enumeration, CGI script scanning, web.xml access attempts, and probes for Git config leaks, environment variable exposures, and shell upload vectors.
5. Infrastructure and Coordination: All IPs were silent before and after May 8, indicating a short-lived, rented cloud infrastructure for this operation. This reflects a centralized control model utilizing multiple temporary IPs to maximize scan coverage while minimizing detection risk.
6. Implications: This coordinated scanning operation signals a serious threat targeting unpatched edge infrastructure and legacy systems. Such reconnaissance campaigns often precede exploitation attempts or zero-day discoveries, requiring immediate defensive actions.

Recommendations:

1. Review network and application logs for IOC IPs specifically for May 8, 2025, to detect any evidence of scans, exploit attempts, or follow-up activity.
   https://www.virustotal.com/gui/collection/c66a5199de64d116f2716ffcb69d6b6509af2093fdcd936f73856e52b157b677/iocs
2. Establish clear incident response plans for exploitation attempts following reconnaissance.
3. Prioritize patching and updating software with known exploited CVEs, especially for Adobe ColdFusion, Apache Struts, Elasticsearch, Atlassian Confluence, and Bash.
4. Geo-fencing controls: Restrict traffic from suspicious regions (in this case Japan) unless justified.
5. Harden edge infrastructure; disable unused CGI scripts and default services.

Source:

• https://thehackernews.com/2025/05/251-amazon-hosted-ips-used-in-exploit.html
• https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-targets-75-known-exposure-points

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.