Cloud Security, Network Security, Identity, IoT

Botnets driving attacks on PHP servers, IoT devices, cloud gateways

botnet virus at a computer screen skull

A sharp increase in attacks on PHP servers, IoT devices and cloud gateways have been observed by researchers at the Qualys Threat Research Unit.

In an Oct. 30 blog post, the Qualys team said these attacks are driven by botnets such as Mirai, Gafgyt, and Mozi.

The automated campaigns exploit well-known CVE vulnerabilities and cloud misconfigurations, many of them from several years ago.

Some of bugs include the following:

  • CVE-2022-47945, a 9.8 critical RCE vulnerability in ThinkPHP versions before 6.0.14
  • CVE-2021-3129, also a 9.8 critical RCE flaw that affects Laravel apps when the Ignition debugging package has been exposed in production environments.
  • CVE-2017-9841, a critical 9.8 bug that resides in PHPUnit, a widely-used testing framework in PHP apps.

Noelle Murata, senior security engineer at Xcape, Inc., explained that the recent surge in automated botnet attacks targeting PHP servers, IoT devices, and cloud gateways represents a major security concern because these systems are often the most vulnerable parts of today's attack surface.

“PHP is a prime target because of its widespread use in misconfigured web apps and known, unpatched RCE vulnerabilities,” said Murata. “Resource-constrained IoT devices and cloud misconfigurations make it easy and cheap to build large botnets like Mirai, Mozi, and Gafgyt.

Murata pointed out that these botnets are also increasingly using exposed cloud infrastructure for command and control (C2), helping attackers hide their tracks and launch large-scale credential attacks. Security teams need to act quickly by patching known vulnerabilities, disabling development tools like XDebug in production environments, segmenting networks to protect IoT devices, and continuously monitoring all systems for unusual outbound connections, noted Murata.

"We're seeing a major shift in the threat landscape,” said Sonu Shankar, president and COO at Phosphorus. “Adversaries are no longer stopping at IT. They're pivoting to IoT devices, such as DVRs, IP cameras, and printers, as well as OT and IoMT devices that sit unmonitored and unmanaged across enterprise networks.”

Shankar added that these connected devices often have the same access and privileges as traditional endpoints, but far fewer defenses. Once compromised, Shankar said they can power botnets, serve as covert entry points for credential theft, or deliver ransomware.

“We're finding that 70% of connected devices still use default passwords, 68% are running firmware with critical vulnerabilities, and 26% are end-of-life,” said Shankar. “Those numbers represent a massive and growing attack surface that most organizations don't see and can't manage.”

James Maude, Field CTO at BeyondTrust added that routers and IoT devices have long been targeted and compromised to form increasingly large botnets. Maude said nearly 10 years ago, we saw the rise of the Mirai botnet, which initially abused 60 default usernames and passwords to log into and infect a huge number of devices.

“Later, Mirai evolved to exploit zero-days in Huawei, DLink and Netgear routers,” said Maude. “While history doesn’t repeat itself, it often does when it comes to router compromise and botnets. While botnets have previously been associated with largescale DDoS attacks and occasional crypto mining scams, in the age of identity security threats, we see them taking on a new role in the threat ecosystem.”

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds