multiple IP targeting tomcat server

Threat intelligence firm GreyNoise has issued a warning regarding "coordinated brute-force activity" targeting the Apache Tomcat Manager interfaces.

The company reported a spike in brute-force and login attempts on June 5, 2025, suggesting that these actions may be deliberate efforts to "identify and access exposed Tomcat services at scale."

On that date, 295 unique IP addresses were found engaged in brute-force attempts against the Tomcat Manager, all classified as malicious. In the past 24 hours, 188 unique IPs have been recorded, with the majority located in the United States, United Kingdom, Germany, Netherlands, and Singapore.

Additionally, 298 unique IPs were observed attempting to log in to Tomcat Manager instances. Of the 246 IP addresses flagged in the last 24 hours, all are categorized as malicious and originate from the same regions.

The targets of these attempts include the United States, United Kingdom, Spain, Germany, India, and Brazil during the same timeframe. GreyNoise noted that a significant portion of the activity originated from infrastructure hosted by DigitalOcean (ASN 14061).

"While not linked to a specific vulnerability, this behavior underscores a persistent interest in exposed Tomcat services," the company stated. "Broad, opportunistic activity like this often serves as an early warning of potential future exploitation."

To mitigate any risks, organizations with exposed Tomcat Manager interfaces are advised to implement strong authentication measures and access restrictions and to monitor for any signs of suspicious activity.

This disclosure coincides with findings from BitSight, which revealed that over 40,000 security cameras are openly accessible on the internet, potentially allowing anyone to view live video feeds captured by these devices via HTTP or Real-Time Streaming Protocol (RTSP). The exposures are primarily concentrated in the United States, Japan, Austria, Czechia, and South Korea.

The telecommunications sector accounts for 79% of the exposed cameras, followed by technology (6%), media (4.1%), utilities (2.5%), education (2.2%), business services (2.2%), and government (1.2%).

These installations range from residential and office settings to public transportation systems and factories, inadvertently leaking sensitive information that could be exploited for espionage, stalking, and extortion.

Users are advised to change default usernames and passwords, disable remote access if not necessary (or restrict access using firewalls and VPNs), and keep firmware updated.

"The ease with which individuals or organizations can purchase, plug in, and start streaming from these devices with minimal setup is likely why this threat continues to persist."