Ethical Hacking News
A global cyber threat landscape has emerged with a sharp increase in automated botnet attacks targeting PHP servers and IoT devices. These attacks exploit known vulnerabilities and cloud misconfigurations to gain control over exposed systems, expand botnet networks, and launch DDoS attacks exceeding 20 terabits per second (Tbps). The Qualys TRU report highlights the need for robust cybersecurity measures, including penetration testing, vulnerability assessments, and incident response plans. Individuals must also take proactive steps to secure their devices, networks, and online presence by keeping software up-to-date, using strong passwords, and being cautious when clicking on links or downloading attachments from unknown sources.
Awareness of a surge in automated botnet attacks targeting PHP servers, IoT devices, and cloud gateways has been raised. The attacks exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems. PHP servers are the most prominent targets due to widespread use of content management systems like WordPress and Craft CMS. Weaknesses in PHP frameworks have been exploited, including Remote Code Execution (RCE) vulnerabilities. Attackers are targeting credentials, API keys, and access tokens in internet-exposed servers. IoT devices with known security flaws are being co-opted into botnets. Cybersecurity experts advise keeping devices up-to-date, securing secrets, and restricting public access to cloud infrastructure.
A recent report by the Qualys Threat Research Unit (TRU) has revealed a sharp increase in automated botnet attacks targeting PHP servers, Internet of Things (IoT) devices, and cloud gateways. This surge in malicious activity has significant implications for individuals, businesses, and organizations worldwide.
The Qualys TRU report highlights that these automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks. PHP servers have emerged as the most prominent targets of these attacks due to the widespread use of content management systems like WordPress and Craft CMS. This, in turn, creates a large attack surface as many PHP deployments can suffer from misconfigurations, outdated plugins and themes, and insecure file storage.
The report also reveals that some of the prominent weaknesses in PHP frameworks that have been exploited by threat actors include:
* CVE-2017-9841: A Remote code execution vulnerability in PHPUnit
* CVE-2021-3129: A Remote code execution vulnerability in Laravel
* CVE-2022-47945: A Remote code execution vulnerability in ThinkPHP Framework
Furthermore, the Qualys TRU report states that exploitation efforts involving the use of "/?XDEBUG_SESSION_START=phpstorm" query string in HTTP GET requests to initiate an Xdebug debugging session with an integrated development environment (IDE) like PhpStorm have also been observed. If Xdebug is unintentionally left active in production environments, attackers may use these sessions to gain insight into application behavior or extract sensitive data.
The report also notes that threat actors are continuing to look for credentials, API keys, and access tokens in internet-exposed servers to take control of susceptible systems. Additionally, they are leveraging known security flaws in IoT devices to co-opt them into a botnet, including:
* CVE-2022-22947: A Remote code execution vulnerability in Spring Cloud Gateway
* CVE-2024-3721: A Command injection vulnerability in TBK DVR-4104 and DVR-4216
* A Misconfiguration in MVPower TV-7104HE DVR that allows unauthenticated users to execute arbitrary system commands via an HTTP GET request
In light of this growing threat landscape, cybersecurity experts are advising users to keep their devices up-to-date, remove development and debug tools in production environments, secure secrets using AWS Secrets Manager or HashiCorp Vault, and restrict public access to cloud infrastructure.
James Maude, field CTO at BeyondTrust, stated that "having access to a vast network of routers and their IP addresses can allow threat actors to perform credential stuffing and password spray attacks on a huge scale." He also noted that botnets can evade geolocation controls by stealing a user's credentials or hijacking a browser session and then using a botnet node close to the victim's actual location, maybe even using the same ISP as the victim to evade unusual login detections or access policies.
The disclosure comes as NETSCOUT classified the DDoS-for-hire botnet known as AISURU as a new class of malware dubbed TurboMirai that can launch DDoS attacks exceeding 20 terabits per second (Tbps). The botnet primarily comprises consumer-grade broadband access routers, online CCTV and DVR systems, and other customer premise equipment (CPE).
These botnets incorporate additional dedicated DDoS attack capabilities and multi-use functions, enabling both DDoS attacks and other illicit activities such as credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing.
The report also highlights that all of the major proxy services have grown exponentially over the past six months, citing data from spur.us.
A recent discovery by independent security journalist Brian Krebs has revealed that a residential proxy service offered for sale on the dark web can route traffic through one of the nodes in the botnet, providing anonymity and allowing users to blend in with regular network activity.
The implications of this growing threat landscape are far-reaching, highlighting the need for organizations to implement robust cybersecurity measures, including penetration testing, vulnerability assessments, and incident response plans. It is also crucial for individuals to take proactive steps to secure their devices, networks, and online presence by keeping software up-to-date, using strong passwords, and being cautious when clicking on links or downloading attachments from unknown sources.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Cyber-Threat-Landscape-The-Rise-of-Automated-Botnet-Attacks-Targeting-PHP-Servers-and-IoT-Devices-ehn.shtml
https://thehackernews.com/2025/10/experts-reports-sharp-increase-in.html
https://www.infosecurity-magazine.com/news/php-servers-and-iot-devices-cyber/
Published: Wed Oct 29 11:35:54 2025 by llama3.2 3B Q4_K_M
