Hackers Launch Coordinated Attack on Apache Tomcat Manager from 400 Unique IPs

Cybersecurity researchers at GreyNoise Intelligence have identified a significant coordinated attack campaign targeting Apache Tomcat Manager interfaces across the globe.

On June 5, 2025, the company’s threat detection systems registered activity levels far exceeding normal baselines, with nearly 400 unique IP addresses participating in what appears to be a large-scale reconnaissance and access attempt operation.

The campaign represents a dramatic escalation in opportunistic attacks against web application servers, with security experts warning that such broad scanning activities often precede more targeted exploitation attempts.

Scale and Scope of the Attack Campaign

GreyNoise’s monitoring systems detected two distinct but related attack patterns through their automated tagging system.

The “Tomcat Manager Brute Force Attempt” tag captured 250 unique IP addresses conducting systematic password-guessing attacks, representing a massive spike from the typical baseline range of 1-15 IPs.

Simultaneously, the “Tomcat Manager Login Attempt” tag identified 298 unique IP addresses attempting to access Tomcat administrative interfaces, compared to the normal baseline of 10-40 IPs.

All IP addresses involved in the brute force attempts were classified as malicious, while 99.7% of those conducting login attempts received the same designation.

The coordinated nature of the campaign suggests sophisticated planning and resource allocation by threat actors.

Infrastructure and Geographic Distribution

Analysis of the attacking infrastructure reveals a significant concentration of malicious activity originating from DigitalOcean’s Autonomous System Number (ASN 14061).

This cloud service provider’s infrastructure appears to have been heavily leveraged by threat actors, likely due to the ease of rapidly provisioning and disposing of attack resources.

The geographic distribution of attacking IPs spans multiple countries, with the majority originating from the United States, United Kingdom, Germany, the Netherlands, and Singapore.

Meanwhile, targeted systems were primarily located in the United States, the United Kingdom, Spain, Germany, India, and Brazil, indicating a truly global scope of both offensive and defensive infrastructure.

The Apache Tomcat Manager application serves as a web-based administrative interface for managing Tomcat server instances and deployed applications.

By default, Tomcat Manager is configured to restrict access to localhost (127.0.0.1) using the RemoteAddrValve configuration in META-INF/context.xml:

xml

Defensive Recommendations and Future Implications

Security researchers emphasize that while this campaign was not linked to any specific vulnerability exploitation, it represents a concerning trend of widespread reconnaissance activity.

Such broad, opportunistic scanning often serves as preliminary intelligence gathering for more targeted attacks, particularly given Apache Tomcat’s extensive deployment across enterprise environments.

Organizations operating Tomcat Manager interfaces should immediately implement IP-based blocking for the identified malicious addresses and review their access control configurations.

The RemoteCIDRValve can be used to restrict access to specific network ranges:

xml

This attack campaign coincides with ongoing exploitation of CVE-2025-24813, a critical Apache Tomcat remote code execution vulnerability that GreyNoise has been tracking since March 2025.

The combination of active vulnerability exploitation and large-scale brute force campaigns suggests heightened threat actor interest in Tomcat infrastructure, making immediate defensive action crucial for organizations with internet-exposed Tomcat services.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates