Highly coordinated cyberattack campaign involving 251 malicious IP addresses has been discovered targeting cloud-based infrastructure through 75 distinct vulnerability exploitation methods.
The sophisticated operation, observed by GreyNoise on May 8, demonstrates the evolving tactics of threat actors who leverage temporary cloud infrastructure to conduct broad-spectrum reconnaissance and exploitation attempts against enterprise systems worldwide.
Security researchers identified a precisely orchestrated reconnaissance operation launched by 251 IP addresses, all geolocated to Japan and hosted by Amazon AWS infrastructure.
The attack demonstrated remarkable coordination, with every participating IP address active exclusively on May 8, showing no noticeable activity before or after this date.
This pattern indicates the attackers rented temporary cloud infrastructure specifically for this single-day operation, highlighting the increasing sophistication of modern cyber threats.
The campaign targeted a diverse range of technologies through exploitation attempts for well-known vulnerabilities, including Adobe ColdFusion CVE-2018-15961, Apache Struts CVE-2017-5638, Elasticsearch CVE-2015-1427, Atlassian Confluence CVE-2022-26134, and the notorious Shellshock vulnerability CVE-2014-6271.
Despite these vulnerabilities being disclosed years ago, they continue to attract significant attention from opportunistic attackers, reflecting ongoing challenges in enterprise patch management and legacy system security.
Broad-Spectrum Reconnaissance
The scope of the scanning operation revealed strategic planning rather than random opportunistic behavior.
Analysis showed significant infrastructure overlap between different attack vectors, with 295 IPs scanning for ColdFusion vulnerabilities, 265 IPs targeting Apache Struts, and 260 IPs probing Elasticsearch systems.
Most remarkably, 251 IPs overlapped across all three primary targets and collectively triggered 75 distinct GreyNoise behavioral tags.
The attack encompassed various categories of malicious activity beyond simple vulnerability exploitation.
Reconnaissance techniques included WordPress author enumeration, CGI script scanning, and web.xml access attempts.
Misconfiguration probes targeted Git configuration files, environment variable exposures, and shell upload capabilities.
The operation also included exploitation attempts against IoT devices, content management systems, and legacy enterprise applications, demonstrating the attackers’ comprehensive approach to identifying vulnerable systems.
Immediate Defensive Measures
GreyNoise researchers emphasize that this coordinated scanning behavior should be treated as an early warning signal for potential follow-up exploitation attempts.
Similar scanning patterns have historically preceded the discovery of zero-day vulnerabilities in enterprise systems, making immediate defensive action crucial.
All 251 IP addresses have been classified as malicious by GreyNoise’s real-time threat intelligence platform.
Security teams are advised to immediately check their May 8 logs for any indicators of compromise and block the entire list of 251 identified malicious IP addresses.
Organizations should also implement dynamic IP blocking capabilities to respond instantly to new scanning infrastructure as it appears in future campaigns.
Additionally, defenders should identify which of the 75 GreyNoise behavioral tags apply to their specific environment and configure automated blocking for IPs engaging in those particular activities.
This incident underscores the critical importance of maintaining current patch levels, especially for edge infrastructure and legacy systems that may be overlooked in regular maintenance cycles.
The 2025 Verizon Data Breach Investigations Report highlighted concerning trends in time-to-mass-exploit and remediation delays for edge technologies, making proactive defense strategies essential for modern cybersecurity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
