Threat intelligence firm GreyNoise warned of a “coordinated brute-force activity” targeting Apache Tomcat Manager interfaces.
The company observed a surge in brute-force and login attempts on June 5, 2025. This spike suggests deliberate efforts to “identify and access exposed Tomcat services at scale.”
As a result, GreyNoise identified 295 unique IP addresses that engaged in brute-force attempts against Tomcat Manager on that date. The company classified all of them as malicious.
Furthermore, over the past 24 hours, GreyNoise recorded 188 unique IPs, with the majority originating from the United States, the United Kingdom, Germany, the Netherlands, and Singapore.
Similarly, 298 unique IPs attempted to log in to Tomcat Manager instances. Of the 246 IP addresses that GreyNoise flagged in the last 24 hours, the company labeled all as malicious, and they came from the same geographic locations.
The attack targets included the United States, the United Kingdom, Spain, Germany, India, and Brazil during the same time period. GreyNoise also noted that a significant portion of the activity originated from infrastructure hosted by DigitalOcean (ASN 14061).
Although the company did not link this behavior to a specific vulnerability, it emphasized that the trend underscores ongoing interest in exposed Tomcat services. Broad, opportunistic activity like this often serves as an early warning sign of future exploitation.
To mitigate potential risks, organizations with exposed Tomcat Manager interfaces should implement strong authentication, restrict access, and actively monitor for suspicious activity.
Meanwhile, Bitsight disclosed that it found more than 40,000 security cameras openly accessible on the internet. This exposure potentially enables anyone to access live video feeds via HTTP or Real-Time Streaming Protocol (RTSP). These exposures primarily occur in the United States, Japan, Austria, Czechia, and South Korea.
The telecommunications sector accounts for 79% of the exposed cameras, followed by technology (6%), media (4.1%), utilities (2.5%), education (2.2%), business services (2.2%), and government (1.2%).
These installations range from homes and offices to public transportation systems and factory settings, unintentionally leaking sensitive information. Such leaks could then lead to espionage, stalking, or extortion.
Therefore, users should change default usernames and passwords, disable remote access if unnecessary (or restrict it using firewalls and VPNs), and keep firmware current.
“These cameras – intended for security or convenience – have inadvertently become public windows into sensitive spaces, often without their owners’ knowledge,” security researcher João Cruz stated in a report shared with The Hacker News.
“No matter why an individual or organization needs this kind of device, the ease of setup – just buy, plug in, and stream – likely explains why this threat still persists.”
Source: TheHackerNews
Read more at Impreza News
