In a stark reminder of the increasing coordination among cybercriminal groups, a new wave of attacks involving 295 malicious IP addresses has been discovered, targeting organizations across North America, Europe, and parts of Asia. The operation showcases the growing scale, organization, and technical sophistication of modern threat campaigns.
What Happened?
According to researchers at Lumen Black Lotus Labs, the threat actors launched a globally coordinated campaign using a large infrastructure of compromised or spoofed IPs. The attacks focused on scanning and exploiting enterprise networks, targeting weak remote access protocols and unpatched systems.
The malicious activity appears to be linked to initial access brokers (IABs) — cybercriminal groups that specialize in breaching networks and then selling that access to ransomware operators and nation-state threat actors.
“This isn’t just a case of random opportunism,” Black Lotus Labs said. “It’s a calculated campaign using a diverse set of infrastructure to evade detection and distribute their scanning load across geographies.”
Key Details
-
295 IP addresses were involved in the campaign, distributed across 20+ countries.
-
The IPs conducted extensive port scanning, vulnerability probing, and authentication attempts targeting:
-
VPN gateways
-
Remote desktop services (RDP)
-
SSH services
-
Web application interfaces
-
-
Many of the IPs appeared in previously known malicious datasets and threat intelligence feeds.
-
A large chunk of traffic originated from cloud hosting providers, which are frequently abused by threat actors due to their anonymity and rapid deployment options.
Attribution and Intent
While full attribution remains uncertain, the techniques align with those used by access brokers and ransomware affiliates. These entities typically scan for known vulnerabilities (e.g., CVE-2024-XXXXX) and once access is secured, sell it to other cybercriminal groups, especially ransomware-as-a-service (RaaS) affiliates.
This approach enables multi-layer monetization: the access broker profits from selling the entry point, and the ransomware group profits from the actual extortion.
"The infrastructure used in this campaign shows signs of being part of a larger operation, potentially tied to known RaaS ecosystems," the researchers added.
Who’s at Risk?
Organizations of all sizes across multiple sectors were targeted, with a particular focus on:
-
Financial institutions
-
Healthcare providers
-
Manufacturing and logistics companies
-
Government and critical infrastructure
Regions hit hardest include the United States, Germany, India, and Canada—areas with a high concentration of cloud and enterprise infrastructure.
How to Defend Against These Attacks
To protect your organization from these types of coordinated attacks, security teams should:
-
Harden exposed services – Disable unused remote access protocols, enforce MFA on RDP/VPN.
-
Monitor ingress/egress traffic – Use threat intelligence feeds to block known malicious IPs.
-
Apply critical patches immediately – Especially those related to remote access, VPN, and firewall devices.
-
Use geofencing when possible – Block IPs from regions not relevant to your business operations.
-
Deploy behavior-based threat detection – Signature-based solutions alone won't catch everything in this kind of distributed attack.
Final Thoughts
The discovery of 295 IPs acting in unison across continents shows how cyberattacks have evolved from isolated attempts into fully organized and systematic efforts. The use of cloud infrastructure, automation, and globally distributed probes makes defense more challenging than ever.
Organizations must go beyond basic perimeter defenses and implement layered, proactive cybersecurity strategies. As attackers become more collaborative, so too must the defenders.
Stay alert. Stay updated. And most importantly—stay patched.
Add comment
Comments