251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

Coordinated Scanning Activity Targeting ColdFusion, Struts, and Elasticsearch Uncovered

May 28, 2025 | Network Security / Vulnerability

Recent investigations by cybersecurity experts revealed a coordinated scanning initiative that exploited vulnerabilities across a range of platforms. On May 8, 2025, GreyNoise observed suspicious activity from approximately 251 malicious IP addresses, all linked to Amazon Web Services and geolocated in Japan. These IPs engaged in 75 varied actions, which included attempts to exploit known vulnerabilities (CVEs), probes for misconfigurations, and reconnaissance efforts targeting web infrastructures.

The targeted technologies encompassed notable frameworks and services, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. The nature of these scanning operations indicates that the threat actors were probing for weaknesses, exhibiting a strategic approach aimed at identifying exploitable points in the web architecture of organizations utilizing these technologies. GreyNoise noted that the activity was marked by a distinct silence surrounding these IPs before and after the observed surge, suggesting they were temporarily rented to undertake this specific operation.

In terms of tactics potentially employed in this incident, the MITRE ATT&CK framework offers insight into the methodologies likely at play. Initial access could have been achieved by leveraging known vulnerabilities associated with the targeted technologies. The attack may also reflect persistence tactics, wherein the threat actors sought to establish ongoing access to compromised systems. Moreover, privilege escalation techniques could have been utilized to gain elevated permissions once inside the infrastructure.

The implications of such scanning activities are significant. Threat actors often utilize similar methods to identify and exploit vulnerabilities that can lead to unauthorized access or data breaches, underlining the importance of proactive monitoring and fortification of web applications. Organizations are advised to ensure that they maintain current security patches, conduct regular security audits, and stay vigilant against such scanning activities to bolster their defenses against potential exploitation.

As the cybersecurity landscape continues to evolve, staying informed about emerging threats is crucial for business owners. The findings from this recent episode serve as a reminder that even established technologies can be points of vulnerability if not adequately protected. Awareness and preparedness are essential in mitigating the risks posed by opportunistic attacks like these.

Source link

Related Posts

Urgent Vulnerability in Windows Server 2025 dMSA Poses Risk of Active Directory Breach

May 22, 2025
Cybersecurity / Vulnerability

A critical privilege escalation flaw has been identified in Windows Server 2025, allowing attackers to compromise any user within Active Directory (AD). According to Akamai security researcher Yuval Gordon, the vulnerability exploits the Delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025. This attack can be executed easily with the default configuration, posing a significant threat to organizations relying on AD. “In 91% of the environments we examined, users outside of the domain admin group possessed the necessary permissions to carry out this attack,” Gordon noted in a report shared with The Hacker News. The vulnerability takes advantage of the dMSA feature designed to facilitate migration from legacy service accounts and intended to mitigate Kerberoasting attacks. The attack technique has been dubbed “BadSuccessor” by the researchers.

Chinese Hackers Leverage Trimble Cityworks Vulnerability to Access U.S. Government Networks

May 22, 2025
Vulnerability / Threat Intelligence

A Chinese-speaking threat actor, identified as UAT-6382, has exploited a recently patched remote-code-execution vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell. According to an analysis by Cisco Talos researchers Asheer Malhotra and Brandon White, “UAT-6382 effectively targeted CVE-2025-0944, conducted reconnaissance, and quickly implemented various web shells and custom malware for sustained access.” Following their infiltration, UAT-6382 showed significant interest in systems related to utility management. Cisco Talos observed these attacks beginning in January 2025, specifically aimed at the enterprise networks of local government entities in the U.S. CVE-2025-0944, with a CVSS score of 8.6, pertains to a vulnerability in the GIS-focused asset management software that could allow for remote code execution. The flaw has been patched.

Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptocurrency Miners and Proxyware

Date: May 28, 2025
Categories: Cryptojacking / Vulnerability

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution vulnerability in the Craft Content Management System (CMS). This flaw has been leveraged to deploy multiple payloads, including a cryptocurrency miner, a loader known as Mimo Loader, and residential proxyware. The vulnerability, identified as CVE-2025-32432, is a high-severity issue in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The security defect was first revealed in April 2025 by Orange Cyberdefense SensePost after it was linked to attacks that occurred earlier in February. According to a recent report from Sekoia, the attackers have weaponized CVE-2025-32432 to gain unauthorized access to targeted systems and deploy a web shell for persistent remote control. This web shell is utilized to download and execute a shell script (“4l4md4r.sh”) from a remote server using tools such as curl, wget, or the Python library urllib2.

Microsoft OneDrive File Picker Vulnerability Allows Full Access to Cloud Storage When Uploading a Single File

May 28, 2025
Data Privacy / Vulnerability

Cybersecurity researchers have identified a serious security flaw in Microsoft’s OneDrive File Picker. If exploited, this vulnerability could enable websites to gain access to a user’s entire cloud storage, rather than just the files intended for upload. According to the Oasis Research Team’s report to The Hacker News, the issue arises from overly broad OAuth scopes and unclear consent screens that do not adequately communicate the level of access being granted. This flaw poses significant risks, including potential customer data leaks and violations of compliance regulations. Affected applications may include ChatGPT, Slack, Trello, and ClickUp, all of which integrate with Microsoft’s cloud service. The core of the problem lies in the excessive permissions required by the OneDrive File Picker, which requests read access to the entire drive, even when only a single file is selected for upload, due to a lack of fine-grained permission controls.