On May 8, cybersecurity firm GreyNoise reported a coordinated reconnaissance campaign executed by 251 malicious IP addresses, all traced back to Japan and hosted on Amazon AWS. This operation involved 75 distinct scanning behaviors, which included attempts to exploit known vulnerabilities as well as probing for misconfigurations within web infrastructure.
The timing and execution of the campaign suggest a high degree of organization, as every malicious IP was active exclusively on May 8, indicating a temporary use of cloud infrastructure for this targeted attack. GreyNoise describes this operation as opportunistic, but the underlying infrastructure hints at centralized planning.
The vulnerabilities targeted in this campaign are not new; they have been disclosed for years yet still attract interest from attackers. GreyNoise’s recent research highlights this trend of long-disclosed flaws resurfacing in the threat landscape.
This extensive operation was not confined to a single exploit or technology stack, marking a broad-spectrum search for any vulnerable systems, especially those outdated edge infrastructures that may be neglected during patch cycles. Such patterns suggest that the scanning may be performed by a single operator or a unified toolset across a range of IPs, which is characteristic of orchestral scanning efforts.
In response to these attacks, GreyNoise has compiled and made public the full list of the 251 malicious IPs involved in this reconnaissance, urging defenders to take immediate action by blocking these addresses. Effective blocking measures are essential to mitigate risks as follow-up exploitation may emerge from varied infrastructures.
Defenders are encouraged to assess their systems against the identified GreyNoise tags and implement dynamic blocking of any engaged IPs. GreyNoise is committed to monitoring this situation closely and will provide ongoing updates as the situation evolves.
For organizations seeking to enhance their defensive strategies, GreyNoise is developing an advanced dynamic IP blocklist to facilitate quicker responses to emerging threats. Click here for more information or to join the waitlist.