Cybersecurity researchers have identified a significant surge in automated attacks targeting PHP servers, Internet of Things (IoT) devices, and cloud gateways. Various botnets, including Mirai, Gafgyt, and Mozi, are actively exploiting known vulnerabilities and cloud misconfigurations to gain control of exposed systems and expand their networks.
These automated campaigns leverage publicly disclosed CVE vulnerabilities and insecure cloud settings to compromise internet-facing systems. The Qualys Threat Research Unit (TRU) reported that PHP servers, in particular, have become a prime target due to the pervasive use of content management systems like WordPress and Craft CMS. This widespread adoption, coupled with common issues such as misconfigurations, outdated plugins, and insecure file storage, creates a substantial attack surface.
Automated Attacks Leverage PHP and IoT Vulnerabilities
The increasing prevalence of these automated attacks highlights a growing threat landscape where even less sophisticated actors can cause significant disruption. Widely available exploit kits, botnet frameworks, and scanning tools empower entry-level attackers to compromise vulnerable systems and integrate them into malicious botnets.
Several prominent weaknesses in PHP frameworks have been repeatedly exploited by threat actors. These include Remote Code Execution (RCE) vulnerabilities such as CVE-2017-9841 in PHPUnit, CVE-2021-3129 in Laravel, and CVE-2022-47945 in the ThinkPHP Framework. Researchers also observed exploitation attempts involving the use of specific query strings in HTTP GET requests, notably “/?XDEBUG_SESSION_START=phpstorm,” which can be used to initiate an Xdebug debugging session.
According to Qualys, if Xdebug is inadvertently left active in production environments, attackers can exploit these sessions. They may gain insights into application behavior or extract sensitive data, further compromising system security. This underscores the importance of rigorous security hygiene in production environments.
In addition to PHP vulnerabilities, threat actors are actively searching for exposed credentials, API keys, and access tokens on internet-facing servers. Concurrently, they are exploiting known security flaws in IoT devices to commandeer them into botnets. Notable examples of exploited IoT vulnerabilities include CVE-2022-22947, an RCE vulnerability in Spring Cloud Gateway, and CVE-2024-3721, a command injection vulnerability found in TBK DVR-4104 and DVR-4216 devices. A misconfiguration in MVPower TV-7104HE DVR has also been exploited, allowing unauthenticated users to execute arbitrary system commands via HTTP GET requests.
The scanning activity for these vulnerabilities often originates from legitimate cloud infrastructures such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud. This practice allows threat actors to obscure their true origins while leveraging the vast resources of these trusted services.
Evolving Botnet Capabilities and Implications
The nature of botnets is evolving beyond traditional Distributed Denial of Service (DDoS) attacks. James Maude, Field CTO at BeyondTrust, notes that in the current era of identity security threats, botnets are taking on new roles in the threat ecosystem. The access to a vast network of routers and their IP addresses can enable threat actors to conduct large-scale credential stuffing and password spray attacks.
Furthermore, botnets can effectively evade geolocation controls. By stealing user credentials or hijacking browser sessions, attackers can use botnet nodes located near the victim’s actual location, or even within the same Internet Service Provider (ISP) as the victim, to bypass unusual login detection and access policies.
This evolving threat landscape is further highlighted by NETSCOUT’s classification of the DDoS-for-hire botnet known as AISURU. Dubbed “TurboMirai,” this new class of malware can launch DDoS attacks exceeding 20 terabits per second (Tbps). The botnet is largely composed of consumer-grade broadband access routers, online CCTV and DVR systems, and other customer premise equipment (CPE).
These advanced botnets are incorporating dedicated DDoS attack capabilities alongside multi-use functions. This allows them to execute not only DDoS attacks but also other illicit activities, including credential stuffing, AI-driven web scraping, spamming, and phishing. AISURU, for instance, includes an onboard residential proxy service that allows paying customers to route their traffic through botnet nodes, providing anonymity and the ability to blend in with normal network activity.
The implications of these evolving botnets are significant. As compromised devices are turned into residential proxies, sophisticated attackers can conduct malicious activities with a reduced risk of detection. The growth of these proxy services, as indicated by data from spur.us, points to an increasing demand for such anonymizing infrastructure within the cybercriminal underground.
Looking ahead, organizations must prioritize robust security measures to counter these multifaceted threats. This includes keeping all software and devices updated, diligently removing development and debugging tools from production environments, and implementing secure methods for managing secrets, such as AWS Secrets Manager or HashiCorp Vault. Restricting public access to cloud infrastructure and implementing strong network segmentation are also crucial steps in mitigating the impact of these automated attacks.