![[The AI Show Episode 150]: AI Answers: AI Roadmaps, Which Tools to Use, Making the Case for AI, Training, and Building GPTs](https://www.marketingaiinstitute.com/hubfs/ep%20150%20cover.png)
![[The AI Show Episode 149]: Google I/O, Claude 4, White Collar Jobs Automated in 5 Years, Jony Ive Joins OpenAI, and AI’s Impact on the Environment](https://www.marketingaiinstitute.com/hubfs/ep%20149%20cover.png)
![How to Survive in Tech When Everything's Changing w/ 21-year Veteran Dev Joe Attardi [Podcast #174]](https://cdn.hashnode.com/res/hashnode/image/upload/v1748483423794/0848ad8d-1381-474f-94ea-a196ad4723a4.png?#)
_ArtemisDiana_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![In the market for a new router? Here are 13 models to avoid, according to the FBI [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/04/Most-Americans-are-paying-more-for-broadband-%E2%80%93-here-are-four-solutions.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Galaxy S25 Ultra gets ‘Arc’ case that leaves the phone mostly exposed – available for Pixel 9 too [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/arc-pulse-case-galaxy-s25-ultra-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple 15-inch M4 MacBook Air On Sale for $1023.86 [Lowest Price Ever]](https://www.iclarified.com/images/news/97468/97468/97468-640.jpg)
251 Malicious IPs Attacking Cloud-Based Devices Leveraging 75 Exposure Points
A highly coordinated reconnaissance campaign that deployed 251 malicious IP addresses in a single-day operation targeting cloud-based infrastructure. The attack, which occurred on May 8, 2025, demonstrated unprecedented coordination as threat actors leveraged 75 distinct exposure points to probe vulnerable systems across multiple enterprise technologies. Cloud-Based Reconnaissance Operation The coordinated campaign utilized exclusively Amazon Web […] The post 251 Malicious IPs Attacking Cloud-Based Devices Leveraging 75 Exposure Points appeared first on Cyber Security News.
A highly coordinated reconnaissance campaign that deployed 251 malicious IP addresses in a single-day operation targeting cloud-based infrastructure.
The attack, which occurred on May 8, 2025, demonstrated unprecedented coordination as threat actors leveraged 75 distinct exposure points to probe vulnerable systems across multiple enterprise technologies.
Cloud-Based Reconnaissance Operation
The coordinated campaign utilized exclusively Amazon Web Services infrastructure, with all 251 IP addresses geolocated to Japan and hosted by AWS cloud services.
Security analysts noted the operation’s surgical precision, as every IP address remained active only during the May 8 timeframe, with no observable activity before or after the coordinated surge.
This pattern strongly indicates the temporary rental of cloud infrastructure specifically for this reconnaissance operation.
GreyNoise’s overlap analysis revealed remarkable coordination among the attacking infrastructure.
Specifically, 295 IP addresses were scanned for Adobe ColdFusion vulnerabilities (CVE-2018-15961), while 265 IPs targeted Apache Struts systems (CVE-2017-5638), and 260 IPs probed Elasticsearch implementations (CVE-2015-1427).
The most significant finding showed 251 IPs overlapping across all three vulnerability categories, triggering the complete set of 75 GreyNoise detection tags.
Technical analysis demonstrates this wasn’t random scanning activity but rather a centrally controlled operation.
The infrastructure included IP addresses such as 13.112.127.102, 13.113.184.40, and 18.176.55.146, among others, in the comprehensive 251-address list compiled by GreyNoise researchers.
Multiple Enterprise Vulnerabilities Targeted
The attack campaign systematically targeted critical vulnerabilities across diverse technology stacks, focusing heavily on enterprise edge infrastructure.
Primary targets included Adobe ColdFusion remote code execution vulnerabilities (CVE-2018-15961), Apache Struts OGNL injection flaws (CVE-2017-5638), and Elasticsearch Groovy sandbox bypass vulnerabilities (CVE-2015-1427).
Additional reconnaissance efforts encompassed Oracle WebLogic servers, Apache Tomcat installations, and various content management systems, including WordPress, Drupal, and Atlassian Confluence platforms.
The attackers also deployed specialized scanning techniques targeting IoT devices, including GPON routers (CVE-2018-10561), Netgear wireless access points, and various network-attached storage systems.
Particularly concerning was the focus on legacy vulnerabilities such as Shellshock (CVE-2014-6271) and older Elasticsearch implementations, suggesting attackers specifically targeted organizations with delayed patching cycles.
The 2025 Verizon Data Breach Investigations Report had previously highlighted edge infrastructure as a critical risk area, noting concerning trends in time-to-mass-exploit and remediation delays.
Defensive Recommendations
Primary recommendations include reviewing May 8 security logs for suspicious activity, implementing IP blocking for the identified 251 malicious addresses, and establishing dynamic blocking mechanisms for IPs targeting the 75 specific vulnerability categories.
GreyNoise has classified all 251 IP addresses as malicious and recommends organizations implement automated blocking using iptables commands such as iptables -A INPUT -s [malicious_ip] -j DROP for Linux systems, or equivalent firewall rules for their respective infrastructure.
This coordinated campaign reflects broader trends in opportunistic but orchestrated scanning operations.
Similar reconnaissance patterns have historically preceded the discovery of zero-day vulnerabilities, as evidenced by recent scanning activity that preceded disclosed vulnerabilities in Ivanti EPMM systems.
Organizations should treat coordinated scanning as an early warning signal and proactively harden exposed systems against potential follow-up exploitation attempts.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
The post 251 Malicious IPs Attacking Cloud-Based Devices Leveraging 75 Exposure Points appeared first on Cyber Security News.
