In a growing trend of cyber threats, the threat intelligence firm GreyNoise has reported a significant uptick in coordinated brute-force attacks targeting Apache Tomcat Manager interfaces. These attacks, which began on June 5, 2025, involved a staggering 295 unique IP addresses associated with malicious activities, indicating a deliberate effort to exploit vulnerabilities in exposed Tomcat services. The surge in login attempts demonstrates the ongoing interest of cybercriminals in gaining unauthorized access to critical server management tools.
Geographical analysis reveals that the majority of these malicious IPs originate from countries such as the United States, the United Kingdom, Germany, the Netherlands, and Singapore, with 188 unique IPs logged in just a 24-hour period preceding the report. Notably, these IP addresses were predominantly involved in brute-force attempts against Tomcat Manager, suggesting an alarming trend in cyberattacks.
GreyNoise further highlighted that in conjunction with the brute-force attempts, a separate group of 298 unique IPs was observed attempting to log in to Tomcat Manager interfaces. The firm pointed out that all flagged IPs were categorized as malicious and consistently belonged to the same geographic regions, emphasizing a coordinated strategy among attackers to breach various organizations.
The report underscores the necessity for organizations with exposed Tomcat Manager interfaces to bolster their security measures. GreyNoise advised implementing strong authentication practices, establishing rigorous access restrictions, and monitoring for suspicious activity to mitigate risks. This coordinated activity is not isolated and echoes a broader pattern of vulnerabilities being targeted across various platforms, serving as a stark reminder of the ever-evolving landscape of cyber threats.
In a related concern, Bitsight disclosed that over 40,000 security cameras are currently accessible on the internet without cybersecurity protections, allowing potential intruders to view live video feeds from locations ranging from homes to business premises. These exposed devices have become tools for espionage and extortion, with the telecommunications sector accounting for a significant number of these installations. Security experts urge users to adopt best practices, including changing default login credentials and disabling remote access unless necessary.