• 2368 Maritime Dr Unit 250, Elk Grove, CA 95758, United States
  • Mon – Fri: 7:00AM – 7:00PM
  • contactus@bpsemail.com
Follow Us On:
Facebook-f Instagram Linkedin-in Pinterest
  • Home
  • Cyber Security
  • 251 Amazon-Hosted IPs Involved in Global Exploit Scanning Operation – What You Need to Know
Cloudbased exploiting

251 Amazon-Hosted IPs Involved in Global Exploit Scanning Operation – What You Need to Know

98 Views

A recent cloud-based exploit scanning operation triggered widespread concerns in the cybersecurity space. Security experts identified 251 IP addresses hosted by Amazon Web Services (AWS) in Japan, all linked to coordinated scans for well-known vulnerabilities. In this blog, you’ll learn what occurred, what systems were targeted, and how to protect your network.

What Happened?

On May 8, 2025, researchers at GreyNoise detected a highly organized scanning campaign. Each of the 251 IPs, all located in AWS’s Japan region, conducted scans across various systems. The attackers aimed to exploit known weaknesses in widely used technologies. These included cloud-based exploit scans targeting:

  • Adobe ColdFusion – CVE-2018-15961
  • Apache Struts – CVE-2017-5638
  • Elasticsearch – CVE-2015-1427
  • Atlassian Confluence – CVE-2022-26134
  • Bash (Shellshock) – CVE-2014-6271

In addition to scanning for vulnerabilities, the campaign searched for exposed CGI scripts, .git folders, and environment variable leaks.

Why This Matters

This operation stands out for several key reasons:

  1. Temporary Cloud Infrastructure
    The IPs were only active on May 8. This indicates that the attackers likely rented cloud servers for a single day to avoid detection and reputation-based blocking during cloud-based exploit scans.
  2. High-Level Coordination
    The synchronized behavior of the IPs reflects centralized planning and advanced automation.
  3. Focus on Known CVEs
    The scan focused on vulnerabilities that already have public patches. This reinforces the importance of maintaining proper patch management.

What You Should Do Next

You can take several steps to stay protected from cloud-based exploit scanning attacks:

  • Check your logs for traffic from AWS-hosted IPs in Japan on May 8, especially those targeting the vulnerabilities listed.
  • Apply security updates for all affected software immediately, if you haven’t already.
  • Deploy threat monitoring tools that can detect and alert you to abnormal scanning behavior.
  • Block malicious IPs, but don’t rely solely on IP blocking—defense in depth is critical.

By taking action now, you can reduce the chances of a successful exploit against your systems.

Final Thoughts

Coordinated, cloud-based exploit scans are becoming more frequent—and more effective. Even though these AWS-hosted IPs are no longer active, attackers can spin up new ones within minutes. As a result, it’s essential to stay ahead through regular patching, strong network monitoring, and proactive security measures.

Leave A Comment

Your email address will not be published. Required fields are marked *