BURSTA significant coordinated attack campaign targeting Apache Tomcat Manager interfaces, with threat actors leveraging approximately 400 unique IP addresses in a concentrated attack that peaked on June 5, 2025.
The attack represents a substantial increase in malicious activity, with observed volumes reaching 10-20 times above normal baseline levels, indicating a sophisticated and deliberate attempt to compromise exposed Tomcat services at unprecedented scale.
Massive Spike in Brute Force and Login Attempts
The coordinated attack campaign was first identified through GreyNoise’s threat intelligence monitoring systems, which detected two distinct but related attack vectors targeting Apache Tomcat Manager interfaces.
The Tomcat Manager Brute Force Attempt tag registered 250 unique IP addresses engaging in malicious activity, representing a staggering increase from the typical baseline range of 1-15 IP addresses.
Simultaneously, the Tomcat Manager Login Attempt tag recorded 298 unique IP addresses, far exceeding the normal baseline range of 10-40 IP addresses.
All IP addresses involved in the brute force attempts were classified as malicious, while 99.7% of the login attempt traffic was determined to be malicious in nature.
The attack timeline shows a concentrated burst of activity that began building in early June, with the most significant spike occurring on June 5, 2025.
The data visualization reveals that the threat actors maintained sustained pressure over several days, suggesting a well-coordinated campaign rather than opportunistic scanning.
The ASN 14061 (DigitalOcean) infrastructure hosted a significant portion of the attacking IP addresses, indicating that threat actors leveraged cloud computing resources to distribute their attack infrastructure and avoid detection through IP-based blocking mechanisms.
The technical analysis of the attack reveals sophisticated operational security practices employed by the threat actors.
The attackers demonstrated a narrow focus, specifically targeting Tomcat Manager interfaces, avoiding broader scanning activities that might trigger additional security alerts.
This targeted approach suggests the attackers possessed prior intelligence about potential targets and designed their campaign to maximize success while minimizing detection probability.
The use of DigitalOcean’s cloud infrastructure (ASN 14061) as a primary attack vector highlights the evolving tactics of cybercriminals who increasingly leverage legitimate cloud services to conduct malicious activities.
This approach provides attackers with several advantages, including rapid deployment capabilities, geographic distribution of attack sources, and the ability to blend malicious traffic with legitimate cloud-based communications.
The attackers likely utilized automated tools and scripts to coordinate the simultaneous brute force and login attempts across hundreds of IP addresses, indicating a high level of technical sophistication and resource investment.
Mitigations
Organizations running Apache Tomcat installations must immediately implement comprehensive defensive measures to protect against this ongoing threat campaign.
Security teams should prioritize blocking all identified malicious IP addresses involved in both the brute force and login attempt categories, utilizing updated threat intelligence feeds to maintain current protection levels.
The immediate implementation of IP-based blocking rules targeting the 400+ identified malicious addresses is crucial for preventing further compromise attempts.
Beyond immediate blocking measures, organizations must verify that robust authentication mechanisms protect their Tomcat Manager interfaces, including the implementation of multi-factor authentication (MFA) and strong password policies.
Access restrictions should limit Tomcat Manager availability to authorized networks only, preferably through VPN connections or IP whitelisting for administrative access.
Security teams should conduct thorough reviews of recent login activity, examining authentication logs for anomalous patterns that might indicate successful compromise attempts preceding the detected campaign.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post Hackers Attacking Apache Tomcat Manager From 400 Unique IPs appeared first on Cyber Security News.