A big coordinated assault marketing campaign focusing on Apache Tomcat Supervisor interfaces, with risk actors leveraging roughly 400 distinctive IP addresses in a concentrated assault that peaked on June 5, 2025.
The assault represents a considerable enhance in malicious exercise, with noticed volumes reaching 10-20 instances above regular baseline ranges, indicating a complicated and deliberate try and compromise uncovered Tomcat providers at unprecedented scale.
Large Spike in Brute Drive and Login Makes an attempt
The coordinated assault marketing campaign was first recognized by way of GreyNoise’s risk intelligence monitoring programs, which detected two distinct however associated assault vectors focusing on Apache Tomcat Supervisor interfaces.
The Tomcat Supervisor Brute Drive Try tag registered 250 distinctive IP addresses participating in malicious exercise, representing a staggering enhance from the everyday baseline vary of 1-15 IP addresses.
Concurrently, the Tomcat Supervisor Login Try tag recorded 298 distinctive IP addresses, far exceeding the traditional baseline vary of 10-40 IP addresses.
All IP addresses concerned within the brute power makes an attempt have been labeled as malicious, whereas 99.7% of the login try visitors was decided to be malicious in nature.
The assault timeline reveals a concentrated burst of exercise that started constructing in early June, with probably the most vital spike occurring on June 5, 2025.
The info visualization reveals that the risk actors maintained sustained stress over a number of days, suggesting a well-coordinated marketing campaign reasonably than opportunistic scanning.
The ASN 14061 (DigitalOcean) infrastructure hosted a good portion of the attacking IP addresses, indicating that risk actors leveraged cloud computing assets to distribute their assault infrastructure and keep away from detection by way of IP-based blocking mechanisms.
The technical evaluation of the assault reveals refined operational safety practices employed by the risk actors.
The attackers demonstrated a slim focus, particularly focusing on Tomcat Supervisor interfaces, avoiding broader scanning actions which may set off extra safety alerts.
This focused method suggests the attackers possessed prior intelligence about potential targets and designed their marketing campaign to maximise success whereas minimizing detection chance.
The usage of DigitalOcean’s cloud infrastructure (ASN 14061) as a major assault vector highlights the evolving ways of cybercriminals who more and more leverage reliable cloud providers to conduct malicious actions.
This method supplies attackers with a number of benefits, together with speedy deployment capabilities, geographic distribution of assault sources, and the power to mix malicious visitors with reliable cloud-based communications.
The attackers probably utilized automated instruments and scripts to coordinate the simultaneous brute power and login makes an attempt throughout tons of of IP addresses, indicating a excessive degree of technical sophistication and useful resource funding.
Mitigations
Organizations operating Apache Tomcat installations should instantly implement complete defensive measures to guard towards this ongoing risk marketing campaign.
Safety groups ought to prioritize blocking all recognized malicious IP addresses concerned in each the brute power and login try classes, using up to date risk intelligence feeds to take care of present safety ranges.
The speedy implementation of IP-based blocking guidelines focusing on the 400+ recognized malicious addresses is essential for stopping additional compromise makes an attempt.
Past speedy blocking measures, organizations should confirm that sturdy authentication mechanisms defend their Tomcat Supervisor interfaces, together with the implementation of multi-factor authentication (MFA) and robust password insurance policies.
Entry restrictions ought to restrict Tomcat Supervisor availability to licensed networks solely, ideally by way of VPN connections or IP whitelisting for administrative entry.
Safety groups ought to conduct thorough opinions of latest login exercise, analyzing authentication logs for anomalous patterns which may point out profitable compromise makes an attempt previous the detected marketing campaign.
Automate risk response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
