A sharp increase in attacks targeting PHP servers, internet of things (IoT) devices and cloud gateways has been identified by cybersecurity researchers.
The latest report by the Qualys Threat Research Unit (TRU), published today, attributes the rise to botnets such as Mirai, Gafgyt and Mozi, which are exploiting known CVEs and cloud misconfigurations to expand their reach.
With PHP powering over 73% of websites and 82% of enterprises reporting incidents linked to cloud misconfigurations, the digital attack surface continues to grow. This makes servers running PHP-based applications, such as WordPress, especially attractive to attackers seeking remote code execution (RCE) or data theft opportunities.
“Routers and IoT devices have long been targeted and compromised to form increasingly large botnets,” said James Maude, field CTO at BeyondTrust.
“Almost a decade ago, we saw the rise of the Mirai botnet, which initially abused 60 default usernames and passwords to log into and infect a huge number of devices.”
He added that while history doesn’t repeat itself, “it often rhymes when it comes to router compromise and botnets.”
Key Vulnerabilities Under Active Attack
Qualys highlighted several vulnerabilities currently being exploited in the wild:
-
CVE-2022-47945: An RCE flaw in ThinkPHP due to improper input sanitization
-
CVE-2021-3129: A Laravel Ignition debugging route left active in production
-
CVE-2017-9841: A long-standing PHPUnit flaw exposing the eval-stdin.php script
Attackers also exploit insecure configurations, such as active debugging tools like XDebug or improperly stored secrets.
Qualys researchers noted frequent attempts to retrieve sensitive Amazon Web Services (AWS) credential files from exposed Linux servers.
Read more on cloud misconfiguration risks: Hackers Exploit Misconfigurations in Public Websites With Improperly Exposed AWS Credentials
IoT and Cloud Systems Remain Exposed
IoT devices remain a persistent weak link, particularly those running outdated firmware. The report cites CVE-2024-3721, a TBK DVR command injection flaw exploited by Mirai-like botnets and similar attacks targeting MVPower DVRs with built-in backdoors.
“While botnets have previously been associated with large-scale DDoS attacks and occasional crypto-mining scams, in the age of identity security threats, we see them taking on a new role in the threat ecosystem,” Maude said.
He explained that access to vast networks of compromised routers allows attackers to perform large-scale credential stuffing and password spraying campaigns.
Cloud-native environments are also at risk, with CVE-2022-22947 in Spring Cloud Gateway allowing unauthenticated code execution.
“Security teams once had positive control of the data centers where production data and systems lived,” said Trey Ford, chief strategy and trust officer at Bugcrowd.
“In the age of modern cloud-native and infrastructure as code, developers have the ability to both light up and connect services and infrastructure faster than security teams can identify it.”
Ford emphasized that “staying current with your attack surface is a critical path capability,” adding, “if you can’t see it, can’t identify changes, how can you defend it?”
Building Resilience Against Exploitation
Scott Schneider, partner GTM at iCOUNTER, noted that “risk-based vulnerability management (RBVM) is an effective method to tackle an ever-growing list of vulnerabilities.”
By evaluating asset criticality, threat likelihood and exposure, organizations can “focus their remediation efforts on the vulnerabilities that present the most immediate and serious risks,” he explained.
To reduce exposure, Qualys also recommended:
-
Timely patching of software and frameworks
-
Disabling development and debugging tools in production
-
Using managed stores for secrets rather than plaintext files
-
Restricting network access to essential IPs only
-
Monitoring cloud access logs for credential misuse
Qualys concluded that attackers no longer need advanced skills to launch impactful attacks.
“With widely available exploit kits and scanning tools, even entry-level actors can cause significant damage,” the researchers said.
The company urged organizations to adopt continuous visibility and automated remediation to defend PHP servers, IoT devices and cloud systems from ongoing exploitation.
