Cybersecurity researchers are warning of a surge in automated attacks targeting PHP servers, IoT devices, and cloud gateways from various botnets such as Mirai, Gafgyt, and Mozi.
“These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to take control of exposed systems and expand botnet networks,” Qualys Threat Research Unit (TRU) said in a report shared with The Hacker News.
The cybersecurity firm said PHP servers have emerged as the most prominent target for these attacks due to the widespread use of content management systems such as WordPress and Craft CMS. This creates a large attack surface, as many PHP deployments can be affected by misconfigurations, outdated plugins or themes, or insecure file storage.
Here are some of the notable weaknesses in PHP frameworks that have been exploited by threat actors.
- CVE-2017-9841 – Remote code execution vulnerability in PHPUnit
- CVE-2021-3129 – Laravel remote code execution vulnerability
- CVE-2022-47945 – Remote code execution vulnerability in ThinkPHP framework
Qualys said it has also observed an exploit that uses the “/?XDEBUG_SESSION_START=phpstorm” query string in an HTTP GET request to start an Xdebug debugging session in an integrated development environment (IDE) like PhpStorm.
“If Xdebug is left unintentionally active in a production environment, an attacker could use these sessions to gain insight into application behavior or extract sensitive data,” the company said.
Alternatively, threat actors continue to seek out credentials, API keys, and access tokens on servers exposed to the internet to gain control of susceptible systems or exploit known security flaws in IoT devices to incorporate into botnets. These include –
- CVE-2022-22947 – Spring Cloud Gateway remote code execution vulnerability
- CVE-2024-3721 – TBK DVR-4104 and DVR-4216 Command Injection Vulnerability
- Misconfiguration of MVPower TV-7104HE DVR allows unauthenticated users to execute arbitrary system commands via HTTP GET requests
Qualys added that scanning activity often originates from cloud infrastructure such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, demonstrating how threat actors are exploiting legitimate services for their own benefit while hiding their true origin.
“Today’s threat actors do not need to be highly sophisticated to be effective,” the report said. “The ubiquity of exploit kits, botnet frameworks, and scanning tools means that even entry-level attackers can cause significant damage.”
To protect yourself from this threat, we recommend that users keep their devices up to date, remove production development and debugging tools, use AWS Secrets Manager or HashiCorp Vault to protect secrets, and limit public access to their cloud infrastructure.
“Botnets have traditionally been associated with large-scale DDoS attacks and the occasional cryptocurrency mining scam, but in the era of identity security threats, we believe botnets are taking on a new role in the threat ecosystem,” said James Maud, Field CTO at BeyondTrust.
“Access to a vast network of routers and their IP addresses allows attackers to perform credential stuffing and password spraying attacks at scale. Botnets can steal user credentials or hijack browser sessions, using botnet nodes close to the victim’s physical location or even using the same ISP as the victim to attack anomalous login detection and access. You can also circumvent location controls by circumventing policies.”
The disclosure comes after NETSCOUT classified the DDoS lending botnet known as AISURU as a new class of malware called TurboMirai that is capable of launching DDoS attacks in excess of 20 terabits per second (Tbps). The botnet primarily consists of consumer broadband access routers, online CCTV and DVR systems, and other customer premise equipment (CPE).
“These botnets incorporate additional dedicated DDoS attack capabilities and multi-purpose capabilities, enabling both DDoS attacks and other illegal activities such as credential stuffing, artificial intelligence (AI) web scraping, spamming, and phishing,” the company said.
“AISURU includes an onboard residential proxy service that is used to reflect HTTPS application-layer DDoS attacks generated by external attack harnesses.”
By turning a compromised device into a residential proxy, paying customers can route their traffic through one of the nodes in the botnet, providing anonymity and the ability to blend in with normal network activity. Independent security journalist Brian Krebs, citing data from spur.us, says all major proxy services have seen rapid growth over the past six months.
