251 Amazon-Hosted IPs Used in Exploit Scan Targeting ColdFusion, Struts, and Elasticsearch

May 28, 2025Ravie LakshmananNetwork Security / Vulnerability

Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct “exposure points” earlier this month.

The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon.

“These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity,” the threat intelligence firm said. “All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation.”

The scanning efforts have been found to have targeted a wide array of technologies from Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic, among others.

The opportunistic operation ranged from exploitation attempts for known CVEs to probes for misconfigurations and other weak points in web infrastructure, indicating that the threat actors were looking indiscriminately for any susceptible system

• Adobe ColdFusion — CVE-2018-15961 (Remote code execution)
• Apache Struts — CVE-2017-5638 (OGNL injection)
• Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
• Bash — CVE-2014-6271 (Shellshock)
• Elasticsearch — CVE-2015-1427 (Groovy sandbox bypass and remote code execution)
• CGI script scanning
• Environment variable exposure
• Git config crawlers
• Shell upload checks, and
• WordPress author checks

An interesting aspect is that the broad-spectrum scan was active only on May 8, with no noticeable change in the activity before or after the date.

GreyNoise said 295 IP addresses were scanned for CVE-2018-15961, 265 IPs for Apache Struts, and 260 IPs for CVE-2015-1427. Out of these, 262 IPs overlapped between ColdFusion and Struts and 251 IPs overlapped across all the three vulnerability scans.

“This level of overlap points to a single operator or toolset deployed across many temporary IPs — an increasingly common pattern in opportunistic but orchestral scanning,” GreyNoise said.

To mitigate the activity, organizations are required to block the malicious IP addresses immediately, although it bears noting that follow-up exploitation may emanate from different infrastructures.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!