Full Report
Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct "exposure points" earlier this month. The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon. "These IPs triggered 75 distinct behaviors, including CVE exploits,
Analysis Summary
# Tool/Technique: Coordinated Cloud-Based Scanning Operation (Targeting ColdFusion, Struts, Elasticsearch, etc.)
## Overview
A coordinated, large-scale scanning operation observed on May 8, 2025, utilizing 251 distinct, temporary Amazon-hosted IP addresses (geolocated to Japan). The operation's purpose was likely reconnaissance and exploitation against vulnerable web applications and services, seeking known weaknesses across a wide technology stack.
## Technical Details
- Type: Tool/Procedure (Orchestrated Scanning Activity)
- Platform: Web Servers, Application Platforms (ColdFusion, Struts, Tomcat, Drupal, Elasticsearch, WebLogic)
- Capabilities: Automated exploitation attempts against known CVEs, misconfiguration probing, and general reconnaissance.
- First Seen: May 8, 2025
## MITRE ATT&CK Mapping
This activity primarily maps to Reconnaissance and Initial Access tactics through vulnerability scanning and exploitation attempts.
- **TA0043 - Reconnaissance**
- **T1595 - Active Scanning**
- T1595.001 - Vulnerability Scanning
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application**
## Functionality
### Core Capabilities
- **Vulnerability Probing:** Actively attempting to exploit documented vulnerabilities (CVEs) in widely used software (ColdFusion, Struts, Confluence, Bash, Elasticsearch).
- **Misconfiguration Probing:** Checking for common weak points such as unsecure environment variable exposure.
- **Reconnaissance Artifacts:** Scanning for specific artifacts like Git configuration files (`.git` crawlers) and WordPress authorship structures.
- **Payload Attempts:** Indications of shell upload checks and attempts to verify if a remote shell can be established.
### Advanced Features
- **Orchestrated Infrastructure:** The high overlap (251 IPs involved in scanning ColdFusion, Struts, and Elasticsearch vulnerabilities) suggests a single operator or controller deploying a sophisticated, distributed, and temporary scanning infrastructure using cloud hosting (AWS/Amazon).
- **Temporal Focus:** The activity was highly concentrated on one specific day, indicative of a "big-bang" scan or deployment.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: [Not applicable/Not specified in the context]
- Network Indicators: 251 malicious Amazon-hosted IP addresses geolocated to Japan (Note: These IPs are ephemeral and require immediate blocking based on real-time observation).
- Behavioral Indicators: Mass, coordinated scanning traffic hitting multiple high-profile, known vulnerable endpoints simultaneously.
## Associated Threat Actors
- Unknown/Opportunistic Threat Actor(s) (Described as an "opportunistic operation" utilizing temporary infrastructure).
## Detection Methods
- Signature-based detection: Signatures for known exploit patterns associated with the listed CVEs.
- Behavioral detection: Detecting a high volume of requests originating from a single network range targeting diverse application components rapidly.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- **Immediate Blocking:** Organizations are advised to block the specific set of malicious IP addresses identified during the scanning window.
- **Patching/Virtual Patching:** Immediately patch or secure exposed instances of Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic.
- **Infrastructure Hardening:** Review configurations to prevent environment variable exposure and secure all web application components.
## Related Tools/Techniques
- Generic scanner tools used for widespread vulnerability enumeration.
- Cloud-based infrastructure abuse patterns (using services like AWS for short-term attacker infrastructure).
- Specific CVE attacks:
- CVE-2018-15961 (ColdFusion RCE)
- CVE-2017-5638 (Struts OGNL Injection)
- CVE-2022-26134 (Confluence OGNL Injection)
- CVE-2014-6271 (Bash Shellshock)
- CVE-2015-1427 (Elasticsearch RCE/Groovy sandbox bypass)