251 Amazon-Hosted IPs Used in Exploit Scan Targeting ColdFusion, Struts, and Elasticsearch

Posted on By CWS

Might 28, 2025Ravie LakshmananNetwork Safety / Vulnerability

Cybersecurity researchers have disclosed particulars of a coordinated cloud-based scanning exercise that focused 75 distinct “publicity factors” earlier this month.
The exercise, noticed by GreyNoise on Might 8, 2025, concerned as many as 251 malicious IP addresses which might be all geolocated to Japan and hosted by Amazon.
“These IPs triggered 75 distinct behaviors, together with CVE exploits, misconfiguration probes, and recon exercise,” the menace intelligence agency stated. “All IPs had been silent earlier than and after the surge, indicating momentary infrastructure rental for a single operation.”

The scanning efforts have been discovered to have focused a big selection of applied sciences from Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic, amongst others.
The opportunistic operation ranged from exploitation makes an attempt for recognized CVEs to probes for misconfigurations and different weak factors in net infrastructure, indicating that the menace actors had been wanting indiscriminately for any vulnerable system

Adobe ColdFusion — CVE-2018-15961 (Distant code execution)
Apache Struts — CVE-2017-5638 (OGNL injection)
Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
Bash — CVE-2014-6271 (Shellshock)
Elasticsearch — CVE-2015-1427 (Groovy sandbox bypass and distant code execution)
CGI script scanning
Setting variable publicity
Git config crawlers
Shell add checks, and
WordPress creator checks

An attention-grabbing facet is that the broad-spectrum scan was lively solely on Might 8, with no noticeable change within the exercise earlier than or after the date.
GreyNoise stated 295 IP addresses had been scanned for CVE-2018-15961, 265 IPs for Apache Struts, and 260 IPs for CVE-2015-1427. Out of those, 262 IPs overlapped between ColdFusion and Struts and 251 IPs overlapped throughout all of the three vulnerability scans.
“This degree of overlap factors to a single operator or toolset deployed throughout many momentary IPs — an more and more widespread sample in opportunistic however orchestral scanning,” GreyNoise stated.
To mitigate the exercise, organizations are required to dam the malicious IP addresses instantly, though it bears noting that follow-up exploitation might emanate from totally different infrastructures.

Discovered this text attention-grabbing? Comply with us on Twitter  and LinkedIn to learn extra unique content material we submit.

The Hacker News Tags:, , , , , , ,

Related Posts

Hackers Breach Toptal GitHub, Publish 10 Malicious npm Packages With 5,000 Downloads The Hacker News
Researchers Warn of MystRodX Backdoor Using DNS and ICMP Triggers for Stealthy Control The Hacker News
Malicious Browser Extensions Infect 722 Users Across Latin America Since Early 2025 The Hacker News
Russian Hackers Breach 20+ NGOs Using Evilginx Phishing via Fake Microsoft Entra Pages The Hacker News
Automation Is Redefining Pentest Delivery The Hacker News
Meta Disrupts Influence Ops Targeting Romania, Azerbaijan, and Taiwan with Fake Personas The Hacker News