Cyber Blog

Cybersecurity researchers have sounded the alarm over a sharp increase in automated attacks targeting PHP servers, Internet of Things (IoT) devices, and cloud gateways. These attacks, primarily driven by well-known botnets such as Mirai, Gafgyt, and Mozi, are exploiting known vulnerabilities and misconfigurations to gain unauthorized control over exposed systems and expand botnet networks. According to a report from the Qualys Threat Research Unit (TRU), PHP servers have become prime targets due to their widespread use in content management systems like WordPress and Craft CMS, which often suffer from outdated plugins, insecure file storage, and misconfigurations.

Several vulnerabilities in PHP frameworks have been heavily exploited, including CVE-2017-9841 in PHPUnit, CVE-2021-3129 in Laravel, and CVE-2022-47945 in ThinkPHP Framework. Qualys also noted that attackers are attempting to initiate Xdebug debugging sessions using the “/?XDEBUG_SESSION_START=phpstorm” query string, which can inadvertently expose sensitive data if Xdebug remains active in production environments.

In addition to PHP servers, attackers are targeting IoT devices and cloud infrastructure by searching for credentials, API keys, and access tokens on publicly exposed systems. Notable vulnerabilities being exploited include CVE-2022-22947 in Spring Cloud Gateway, CVE-2024-3721 in TBK DVR systems, and a misconfiguration in MVPower DVRs that allows unauthenticated users to execute arbitrary commands. Many of these attacks originate from major cloud platforms such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, enabling threat actors to hide their true locations behind legitimate infrastructure.

Experts warn that modern attackers no longer need to be highly sophisticated to inflict serious damage. With easy access to exploit kits, botnet frameworks, and automated scanning tools, even less experienced hackers can conduct large-scale attacks. To mitigate these threats, cybersecurity professionals recommend keeping systems updated, removing debugging tools from production environments, securing credentials with services like AWS Secrets Manager or HashiCorp Vault, and limiting public access to cloud resources.

Beyond traditional uses such as Distributed Denial-of-Service (DDoS) attacks and cryptocurrency mining, botnets are increasingly being leveraged for identity-related threats. James Maude, Field CTO at BeyondTrust, explained that botnets can now perform credential stuffing and password spraying on a massive scale. By hijacking routers and using local IP addresses, attackers can even bypass geolocation-based security controls and mimic legitimate user behavior.

The report coincides with findings from NETSCOUT, which identified a powerful new DDoS-for-hire botnet called AISURU, classified as part of the TurboMirai malware family. This botnet, composed largely of consumer-grade routers, CCTV systems, and DVRs, can execute DDoS attacks exceeding 20 terabits per second. AISURU also includes a built-in residential proxy service that allows paying customers to disguise malicious traffic as normal user activity. Security journalist Brian Krebs noted that such proxy services have surged in growth over the past six months, further blurring the line between legitimate and malicious network activity.