The Greynoise Intelligence firm warned about the “coordinated activity of the rough force” aimed at the Manager Apache Tomcat interfaces.
The company said this observe On June 5, 2025, an attempt attempts by gross force and entry, indicating that they can be focused efforts to “determine and access Tomcat’s exposing services”.
To this end, 295 unique IP addresses were attempted by the rough force against the Tomcat manager on this date, and all of them are classified as malicious ones. Over the last 24 hours, 188 Unique IPS Most of them located in the US, the UK, Germany, the Netherlands and Singapore were recorded.
In a similar direction, 298 Unique IPS were observed to attempts to enter against copies of Tomcat Manager. Of the 246 IP, which are labeled over the last 24 hours, they are all classified as malicious and come from the same places.
The goals of these attempts include the United States, the UK, Spain, Germany, India and Brazil over the same period. Greynoise noted that a considerable part of the activity occurred from the infrastructure conducted by Digitalocean (ASN 14061).
“Although not attached to a certain vulnerability, this behavior emphasizes the constant interest in opening Tomcat services,” the company added. “A broad, conjunctural activity similar to this is often a warning of future operation.”
To mitigate any potential risks, organizations with the Tomcat Manager interface are recommended to implement strong authentication and access restrictions and control any signs of suspicious activity.
The disclosure of information occurs when Bitsight has found that it revealed more than 40,000 security cameras, openly available on the Internet, which potentially allows everyone to access live video channels enthusiastic via HTTP or real-time streaming protocol (RTSP). The expositions are concentrated in the US, Japan, Austria, Czech Republic and South Korea.
The telecommunications sector accounts for 79%of open cameras, followed by technology (6%), media (4.1%), utilities (2.5%), education (2.2%), business services (2.2%) and government (1.2%).
The installations vary from those installed in residence, offices, public transport and factory systems, and carelessly leaks of sensitive information that could then be used for espionage, persecution and extortion.
Users are advised to change the default and passwords names, disable remote access if not required (or restrict access to firewall and VPN) and maintain firmware.
“These cameras – designed for safety or convenience – accidentally became public windows in sensitive spaces, often without the owners’ knowledge,” – a security researcher Joao Cruz – Note In a report that shared with Hacker News.
“Regardless of the reason for one individual or organization, such devices are needed, the fact that everyone can buy it, connect it and start broadcasting with minimal setting, probably why this is still a constant threat.”
