Cybersecurity experts shared that earlier this month, a group of computers worked together to scan the internet for security weaknesses.
This happened on May 8, 2025, and was spotted by a company called GreyNoise. All 251 suspicious IP addresses were Amazon-hosted infrastructure in Japan.
These computers tried 75 different tasks, like looking for known security problems, checking for setup mistakes, and gathering information. GreyNoise noted that the IP addresses involved were inactive both before and after the scanning took place, indicating they were likely used just for this particular operation and then shut down.
The scanning activity focused on multiple technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic, along with several more.
The attackers were carrying out a board and opportunistic scan, looking for any vulnerable system. Rather than aiming at one specific company or technology, they tested a wide range of known weaknesses and misconfigurations to see what they could find.
Some specific vulnerabilities they tried to exploit included:
- Adobe ColdFusion- CVE-2018-15961
- Apache Struts- CVE-2017-5638
- Atlassian Confluence- CVE-2014-6271
- Bash- CVE-20014-6271
- Elasticsearch- CVE-2015-1447
They also checked for:
- CGI script that might be insecure
- Exposure of environment variables
- Risk of sensitive data exposure through Git settings files
- Attackers can upload and trigger harmful scripts
- WordPress author checks to find user accounts for later attacks
One interesting detail is that the large-scale scanning only happened on May 8, with no unusual activity seen before or after that day.
GreyNoise identified 295 IP addresses scanning for a ColdFusion bug (CVE-2018-15961), 265 IPs targeting an Apache Struts flaw, and 260 IPs attempting to exploit an Elasticsearch vulnerability. Among these, 262 IP addresses were used to scan for both ColdFusion and Struts, and 251 IPs were common across all three scanning activities.
GreyNoise said this high amount of overlap suggests that the same group or tool was used across many temporary IP addresses. This pattern is becoming more common in broad, coordinated scanning efforts where attackers are looking for any system they can exploit.
To reduce the risk from this kind of activity, organizations should block the identified malicious IP addresses right away. However, it’s important to understand that future attacks might come from different servers or networks. So, blocking these IPs alone isn’t enough. Ongoing monitoring, patching known vulnerabilities, and securing system configurations are also critical steps to stay protected.
