CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
GreyNoise has issued a warning regarding a coordinated brute force campaign targeting Apache Tomcat Manager interfaces. On June 5, 2025, their threat intelligence system detected a significant surge in malicious activity, specifically brute-force and login attempts against these interfaces. This spike prompted GreyNoise to issue tags for "Tomcat Manager Brute Force Attempt" and "Tomcat Manager Login Attempt," both registering well above their usual baseline volumes, suggesting a deliberate and widespread effort to identify and exploit exposed Tomcat services.
295 unique IP addresses were observed engaging in brute-force attempts, while 298 IPs conducted login attempts. Almost all were classified as malicious. Much of the activity originated from infrastructure hosted by DigitalOcean. The concentrated nature of these attacks, focusing primarily on Tomcat services, indicates a coordinated campaign rather than random, opportunistic scanning. GreyNoise believes that such activity serves as an early warning sign of future exploitation.
Organizations are urged to immediately block the malicious IPs identified by GreyNoise and to strengthen their security posture regarding exposed Tomcat Manager interfaces. This includes implementing robust authentication mechanisms, enforcing strict access restrictions, and carefully reviewing recent login activity for any anomalies. With a focus on helping defenders take faster action on emerging threats, GreyNoise continues to monitor the situation and is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats.
ImgSrc: blogger.googleu
References :
295 unique IP addresses were observed engaging in brute-force attempts, while 298 IPs conducted login attempts. Almost all were classified as malicious. Much of the activity originated from infrastructure hosted by DigitalOcean. The concentrated nature of these attacks, focusing primarily on Tomcat services, indicates a coordinated campaign rather than random, opportunistic scanning. GreyNoise believes that such activity serves as an early warning sign of future exploitation.
Organizations are urged to immediately block the malicious IPs identified by GreyNoise and to strengthen their security posture regarding exposed Tomcat Manager interfaces. This includes implementing robust authentication mechanisms, enforcing strict access restrictions, and carefully reviewing recent login activity for any anomalies. With a focus on helping defenders take faster action on emerging threats, GreyNoise continues to monitor the situation and is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats.
ImgSrc: blogger.googleu
Share:
References :
- The Hacker News: 295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager
- The GreyNoise Blog: Coordinated Brute Force Campaign Targets Apache Tomcat Manager Interfaces Using 400 Malicious IPs
- www.scworld.com: Apache Tomcat Manager subjected to brute-force, login intrusions
- cyberpress.org: Apache Tomcat Manager Under Attack by 400 Unique IP Addresses
Classification:
- HashTags: #ApacheTomcat #BruteForce #WebSecurity
- Company: Google
- Target: Apache Tomcat Servers
- Product: Tomcat Manager
- Feature: Brute Force Attacks
- Type: Hack
- Severity: Medium