On May 8, 2025, cybersecurity researchers identified a coordinated scanning operation targeting 75 distinct exposure points across various technologies. This activity involved 251 IP addresses, all geolocated to Japan and hosted by Amazon Web Services (AWS). The operation encompassed a range of behaviors, including exploitation attempts for known vulnerabilities, misconfiguration probes, and reconnaissance activities.
Details of the Scanning Operation
The scanning efforts focused on a diverse set of technologies, including:
– Adobe ColdFusion: Targeted using CVE-2018-15961, a remote code execution vulnerability.
– Apache Struts: Exploited via CVE-2017-5638, an OGNL injection flaw.
– Atlassian Confluence: Attacked through CVE-2022-26134, another OGNL injection vulnerability.
– Bash: Subjected to CVE-2014-6271, commonly known as Shellshock.
– Elasticsearch: Exploited using CVE-2015-1427, which allows for Groovy sandbox bypass and remote code execution.
Additional targets included CGI script scanning, environment variable exposure, Git configuration crawlers, shell upload checks, and WordPress author enumeration.
Characteristics of the Attack
Notably, the scanning activity was confined to a single day, with no observed activity before or after May 8. This suggests the use of temporary infrastructure, likely rented for this specific operation. The high degree of overlap among the targeted IPs indicates a single operator or toolset orchestrating the scans.
Implications and Recommendations
The use of AWS-hosted IPs for such scanning activities underscores the challenges in attributing malicious actions to specific actors, given the ease of acquiring temporary cloud resources. Organizations are advised to block the identified malicious IP addresses to mitigate potential threats. However, it’s important to remain vigilant, as follow-up exploitation attempts may originate from different infrastructures.
