A significant coordinated attack campaign targeting Apache Tomcat Manager interfaces on June 5, 2025.
The security firm observed a dramatic spike in malicious activity involving approximately 400 unique IP addresses, with attack volumes reaching levels far above established baselines.
This large-scale reconnaissance and access attempt represents a concerning escalation in automated threats against enterprise web application servers.
The attack campaign demonstrated sophisticated coordination, with threat actors systematically attempting to identify and compromise exposed Tomcat services across the internet.
The attack manifested through two primary vectors tracked by GreyNoise threat intelligence platform.
The “Tomcat Manager Brute Force Attempt” tag recorded 250 unique IP addresses, representing a massive increase from the typical baseline range of 1-15 IPs during normal periods.
GreyNoise’s monitoring systems registered the activity through two distinct attack patterns, both showing unprecedented volume increases that triggered automated threat detection algorithms.
All identified IP addresses in this category were classified as malicious, indicating a highly focused and deliberate campaign rather than opportunistic scanning.
The narrow focus on Tomcat services suggests threat actors were specifically targeting organizations running these widely-deployed application servers.
DigitalOcean Infrastructure
Analysis of the attack infrastructure revealed a significant concentration of malicious activity originating from DigitalOcean’s cloud hosting platform, specifically from Autonomous System Number (ASN) 14061.
Simultaneously, the “Tomcat Manager Login Attempt” tag detected 298 unique IP addresses, dramatically exceeding the normal baseline range of 10-40 IPs. Of these addresses, 99.7% received malicious classifications, demonstrating the coordinated nature of the attack infrastructure.
This infrastructure choice suggests threat actors leveraged readily available cloud resources to distribute their attack operations and potentially evade detection through geographic and network diversity.
The use of cloud infrastructure for malicious campaigns has become increasingly common, as threat actors exploit the accessibility and anonymity provided by cloud hosting services.
DigitalOcean’s involvement, while likely unknowing, highlights the ongoing challenges cloud providers face in preventing abuse of their platforms for cybercriminal activities.
Immediate Defensive Measures
According to Report, GreyNoise researchers emphasize that while this campaign is not tied to a specific vulnerability, it represents a significant early warning indicator for organizations running exposed Tomcat Manager interfaces.
The broad, opportunistic nature of the activity often precedes more targeted exploitation attempts once vulnerable systems are identified.
Security professionals recommend immediate implementation of IP blocking measures against the identified malicious addresses.
Organizations should prioritize reviewing authentication mechanisms on Tomcat Manager interfaces, ensuring strong credentials and proper access restrictions are enforced.
Additionally, administrators should examine recent login logs for anomalous activity that might indicate successful compromise attempts.
The research team continues monitoring for behavioral shifts or signs of follow-on exploitation activities.
This campaign underscores the persistent threat landscape facing internet-exposed enterprise applications and the importance of proactive threat intelligence in defensive cybersecurity strategies.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
