A new report from the Qualys Threat Research Unit (TRU) confirms a sharp increase in automated botnet attacks targeting a range of internet-facing systems. Cybersecurity researchers have observed botnets such as Mirai, Gafgyt, and Mozi actively compromising PHP servers, Internet of Things (IoT) devices, and cloud gateways. The information, shared with The Hacker News, points to a concerted effort by threat actors to expand their networks of infected devices.

The Qualys report states, “These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks.” This method allows attackers to efficiently and rapidly grow their infrastructure by scanning for and compromising vulnerable systems without manual intervention.

PHP Servers Identified as Top Attack Vector

According to the cybersecurity company, PHP servers have emerged as the most prominent targets in this surge of malicious activity. The primary reason for this focus is the widespread global use of content management systems like WordPress and Craft CMS, which are built on PHP. This popularity inadvertently creates a massive attack surface that threat actors are keen to exploit.

The report details that many PHP deployments are vulnerable due to a combination of factors. These include persistent issues with server misconfigurations, the continued use of outdated and unpatched plugins and themes, and insecure file storage practices. Each of these weaknesses can provide an entry point for an automated attack to succeed.

Key Vulnerabilities Leveraged by Attackers

Threat actors are not developing novel techniques but are instead relying on a list of prominent, well-known weaknesses in PHP frameworks to gain access. The Qualys TRU report specifically highlighted several of these vulnerabilities being used in active campaigns. Among the most notable are:

CVE-2017-9841: A remote code execution vulnerability impacting PHPUnit that allows attackers to execute arbitrary code on a vulnerable server.
CVE-2021-3129: Another significant remote code execution vulnerability that has been weaponized by botnets to compromise systems.