Surge in Automated Botnet Attacks Targets PHP Servers and IoT Devices
Cybersecurity experts have observed a significant uptick in automated attacks targeting PHP servers, Internet of Things (IoT) devices, and cloud gateways. Notable botnets such as Mirai, Gafgyt, and Mozi are orchestrating these campaigns, exploiting known vulnerabilities and cloud misconfigurations to commandeer exposed systems and expand their networks.
PHP servers have become prime targets due to the widespread adoption of content management systems like WordPress and Craft CMS. This extensive use has inadvertently created a vast attack surface, as many PHP deployments suffer from misconfigurations, outdated plugins and themes, and insecure file storage practices.
Among the vulnerabilities exploited by attackers are:
– CVE-2017-9841: A remote code execution flaw in PHPUnit.
– CVE-2021-3129: A remote code execution vulnerability in Laravel.
– CVE-2022-47945: A remote code execution issue in the ThinkPHP Framework.
Additionally, attackers have been observed initiating Xdebug debugging sessions by appending the query string /?XDEBUG_SESSION_START=phpstorm to HTTP GET requests. If Xdebug is inadvertently left active in production environments, such sessions can provide attackers with insights into application behavior or access to sensitive data.
Beyond PHP servers, threat actors are actively seeking credentials, API keys, and access tokens in internet-exposed servers to gain control over vulnerable systems. They are also exploiting known security flaws in IoT devices to incorporate them into botnets. Notable vulnerabilities include:
– CVE-2022-22947: A remote code execution vulnerability in Spring Cloud Gateway.
– CVE-2024-3721: A command injection vulnerability in TBK DVR-4104 and DVR-4216.
– A misconfiguration in MVPower TV-7104HE DVR that allows unauthenticated users to execute arbitrary system commands via an HTTP GET request.
These scanning activities often originate from cloud infrastructures such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud. This trend underscores how threat actors are leveraging legitimate services to mask their true origins.
The accessibility of exploit kits, botnet frameworks, and scanning tools has lowered the barrier to entry for cybercriminals. Even individuals with minimal technical expertise can now launch significant attacks.
To mitigate these threats, it is recommended that organizations:
– Regularly update devices and software to patch known vulnerabilities.
– Remove development and debugging tools from production environments.
– Secure sensitive information using tools like AWS Secrets Manager or HashiCorp Vault.
– Restrict public access to cloud infrastructure to minimize exposure.
James Maude, Field CTO at BeyondTrust, highlights the evolving role of botnets in the current threat landscape. Beyond their traditional use in large-scale Distributed Denial of Service (DDoS) attacks and cryptocurrency mining scams, botnets now facilitate credential stuffing and password spraying attacks on a massive scale. By controlling a vast network of routers and their IP addresses, attackers can bypass geolocation controls, making their activities more challenging to detect and mitigate.
