Coordinated Brute-Force Campaign Signals Risk to Apache Tomcat Deployments

On June 5, 2025, GreyNoise Intelligence reported a coordinated spike in brute-force login attempts targeting Apache Tomcat Manager interfaces. This activity, involving hundreds of malicious IP addresses, primarily from DigitalOcean-hosted infrastructure, signals a likely pre-operational phase of a broader threat campaign. Although no specific CVE exploitation was detected, the scale and precision of the activity suggest high risk for targeted exploitation in the near future.

Severity Level: High

Threat Overview

1. Scale and Impact:

• Over 400 unique IP addresses were involved across multiple attack signatures.
• Tomcat Manager Brute Force Attempt: 250 unique malicious IPs (normal baseline 1–15).
• Tomcat Manager Login Attempt: 298 unique IPs (baseline 10–40), with 99.7% classified as malicious.
• The magnitude of activity was significantly above the normal threshold, indicating intentional and orchestrated scanning behavior.

2. Infrastructure Used:

• A substantial portion of this activity originated from DigitalOcean infrastructure (Autonomous System Number: ASN 14061).
• The use of cloud-hosted infrastructure suggests temporary, disposable attack infrastructure, which is a hallmark of organized adversary operations.

3. Objective:

• The attacks are not tied to a known vulnerability or CVE, suggesting a pre-exploitation reconnaissance phase.
• The goal appears to be unauthorized access to Tomcat web application management consoles, often used to deploy Java web apps, making it a high-value target for persistence or lateral movement.
• Tomcat Manager interfaces are especially sensitive if not protected with proper authentication and network segmentation.

4. Attack Methodology:

• The threat actors used automated brute-force tools to try combinations of usernames and passwords on publicly accessible Tomcat Manager login pages.
• This approach is typically opportunistic, seeking misconfigured or weakly secured deployments.

5. Threat Classification:

• All observed IPs were deemed malicious and linked to known brute-force behavior.
• The behavior is categorized as unauthorized access attempts (MITRE ATT&CK T1110 – Brute Force).

6. Industry Exposure:

• This campaign affects any industry or organization with Tomcat Manager interfaces accessible over the internet.
• Tomcat is widely used in Java-based enterprise applications, particularly in financial services, education, healthcare, and government systems.

7. Geographic Spread:

• The campaign was global in scope with no regional targeting bias; the scanning covered a wide address space.

Recommendations

1. Organizations with Tomcat Manager interfaces accessible over the internet should verify that strong authentication and access restrictions are in place. Reviewing recent login activity for anomalies is also advised.
2. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/8f965bd1f60b23864b345afad31e27e8d66d8c9d759d83504e9b67cdf566a62f/iocs

Source:

• https://www.greynoise.io/blog/coordinated-brute-force-activity-targeting-apache-tomcat-manager

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.