295 Malicious IPs Initiate Coordinated Brute-Force Attacks on Apache Tomcat Manager
June 11, 2025
Network Security / Threat Intelligence
GreyNoise, a prominent threat intelligence organization, has issued an alert regarding significant coordinated brute-force attacks aimed at Apache Tomcat Manager interfaces. On June 5, 2025, the firm detected a sharp increase in brute-force and login attempts, suggesting organized efforts to identify and gain access to publicly exposed Tomcat services en masse.
The investigation revealed that 295 distinct IP addresses were involved in these brute-force operations on the specified date, all of which have been classified as malicious. In the immediate 24-hour period following this surge, a total of 188 unique IPs were recorded, with a significant concentration originating from the United States, the United Kingdom, Germany, the Netherlands, and Singapore.
Further observations indicate that 298 unique IPs were engaged in login attempts targeting Tomcat Manager instances, underscoring the coordinated nature of these attacks. Among the 246 IP addresses identified in the last 24 hours, all have been tagged as malicious, again tracing back to the aforementioned countries.
The primary targets of these brute-force attempts include various organizations based in the United States, highlighting a potential vulnerability within this segment. The coordinated nature of the attacks raises concerns about the security posture of business operations relying on exposed Tomcat services, which could be susceptible to unauthorized access.
From a technical standpoint, the methods employed in these attacks align with several tactics outlined in the MITRE ATT&CK framework. Notably, tactics associated with initial access and brute-force login techniques may have been utilized, aiming to exploit weak credentials or misconfigurations within the targeted systems.
Furthermore, attackers may be employing strategies for privilege escalation to escalate their access rights once inside the targeted interfaces. The exposure of these services presents an avenue for persistent vulnerabilities, as successful breaches could enable further malicious activities or data exfiltration.
The alarming rise in these attacks emphasizes the necessity for organizations to evaluate their cyber defenses, particularly concerning services like Apache Tomcat Manager. Enhancing security protocols, such as implementing robust authentication measures and continuous monitoring, can help mitigate the risks posed by such coordinated threats.
In conclusion, as organizations increasingly rely on cloud-based services, understanding and responding to emerging threats becomes paramount. The ongoing sophistication of attacks, as outlined in GreyNoise’s findings, serves as a critical reminder for business leaders to fortify their cybersecurity strategies against potential breaches.
