Rising Cyber-Attacks Target PHP Servers and IoT Devices
▼ Summary
– Cybersecurity researchers report a sharp increase in attacks targeting PHP servers, IoT devices, and cloud gateways, driven by botnets like Mirai, Gafgyt, and Mozi.
– Botnets are exploiting known vulnerabilities and cloud misconfigurations to expand their reach, with PHP-based applications and IoT devices being particularly vulnerable due to their widespread use.
– Specific vulnerabilities under active attack include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit, along with insecure configurations like exposed debugging tools and AWS credentials.
– IoT devices with outdated firmware and cloud-native environments remain exposed, enabling attackers to perform large-scale credential stuffing and password spraying campaigns.
– To build resilience, experts recommend timely patching, disabling development tools in production, using managed secrets stores, and adopting continuous visibility and automated remediation.
A significant surge in cyber-attacks is currently aimed at PHP servers, Internet of Things (IoT) devices, and cloud gateways, creating a rapidly expanding threat landscape for organizations worldwide. According to a new report from the Qualys Threat Research Unit, this uptick is largely driven by notorious botnets like Mirai, Gafgyt, and Mozi. These malicious networks are aggressively exploiting known security vulnerabilities and common cloud misconfigurations to broaden their reach and power.
Given that PHP underpins more than 73% of all websites and a vast majority of enterprises have reported security incidents tied to cloud setup errors, the potential attack surface is enormous. Servers running popular PHP applications, including WordPress, have become prime targets for criminals seeking to achieve remote code execution or steal sensitive data.
James Maude, Field CTO at BeyondTrust, observed that routers and IoT devices have been a favorite target for botnet operators for many years. He recalled the emergence of the Mirai botnet nearly a decade ago, which initially leveraged a list of 60 common default usernames and passwords to infiltrate and commandeer a massive number of devices. Maude noted that while history doesn’t precisely repeat, the patterns of router compromise and botnet formation often echo past events.
Several vulnerabilities are currently being exploited in the wild, according to a new report from Qualys. The study identified multiple high-severity flaws actively targeted by attackers.
CVE-2022-47945 stands out as a remote code execution bug in the ThinkPHP framework, caused by poor input sanitization. But software flaws are not the only problem. Attackers are also taking advantage of weak configurations , from leaving development tools like XDebug running on production servers to storing API keys and passwords in plaintext. Researchers have observed repeated attempts to steal AWS credential files from exposed Linux systems, a tactic that remains alarmingly effective.
The situation is even more troubling in the IoT sector, where outdated firmware continues to expose devices to known exploits. The report highlighted CVE-2024-3721, a command injection vulnerability in TBK DVR equipment that is being leveraged by Mirai-variant botnets. Similar campaigns are targeting MVPower DVRs, which ship with hidden backdoors embedded by the manufacturer.
Maude, one of the report’s contributors, noted that botnets have evolved beyond their traditional roles in DDoS attacks and crypto-mining. They’re now used for large-scale credential stuffing and password spraying, exploiting fleets of compromised routers to automate identity-focused attacks.
Cloud environments face parallel challenges. Vulnerabilities such as CVE-2022-22947 in Spring Cloud Gateway can enable unauthenticated code execution, leaving critical infrastructure exposed. Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, described a major shift in operational control: traditional on-premise security teams once oversaw their own data centers, but modern infrastructure-as-code deployments allow developers to launch and link services faster than security teams can map them. Ford emphasized that “you can’t defend what you can’t see,” underscoring the importance of continuous visibility across the attack surface.
Building resilience, the report argues, depends on risk-based vulnerability management (RBVM) , an approach endorsed by Scott Schneider, Partner GTM at iCOUNTER. RBVM prioritizes remediation based on asset criticality, threat likelihood, and exposure level, helping teams focus on vulnerabilities that present the most immediate risk.
Qualys closed its report with a stark warning: the barrier to entry for cyberattacks has dropped sharply. With ready-made exploit kits and automated scanning tools widely available, even low-skilled actors can cause serious damage. The company urges organizations to apply patches promptly, adopt automated remediation workflows, and maintain real-time visibility over PHP servers, IoT devices, and cloud systems to reduce exposure to active exploitation.
(Source: Info Security)