Brute-force attacks target Apache Tomcat management panels www.bleepingcomputer.com/news/secu…

A coordinated campaign of brute-force attacks using hundreds of unique IP addresses targets Apache Tomcat Manager interfaces exposed online.

Tomcat is a popular open-source web server widely used by large enterprises and SaaS providers, while Tomcat Manager is a web-based administration tool that comes bundled with the Tomcat server and helps admins manage deployed web apps via a graphical interface.

Tomcat Manager is configured by default to only allow access from localhost (127.0.0.1), with no pre-configured credentials and remote access blocked. However, when exposed online, the web app can be targeted by attackers, as cybersecurity company GreyNoise observed recently.

Starting June 5th, GreyNoise analysts discovered two coordinated campaigns targeting Apache Tomcat Manager interfaces and trying to gain access to Tomcat services over the Internet.

The first used nearly 300 unique IP addresses, most tagged as malicious, which were attempting to log into exposed online, and the second employed 250 malicious IPs to target Tomcat Manager web apps in brute force attacks, where threat actors use automated tools to test thousands or even millions of possible credentials.