Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Experts Reports Sharp Increase in Automated Botnet Attacks Targeting PHP Servers and IoT Devices

The Hacker News by The Hacker News
October 29, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Oct 29, 2025Ravie LakshmananVulnerability / Internet of Things

Cybersecurity researchers are calling attention to a spike in automated attacks targeting PHP servers, IoT devices, and cloud gateways by various botnets such as Mirai, Gafgyt, and Mozi.

“These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks,” the Qualys Threat Research Unit (TRU) said in a report shared with The Hacker News.

The cybersecurity company said PHP servers have emerged as the most prominent targets of these attacks owing to the widespread use of content management systems like WordPress and Craft CMS. This, in turn, creates a large attack surface as many PHP deployments can suffer from misconfigurations, outdated plugins and themes, and insecure file storage.

DFIR Retainer Services

Some of the prominent weaknesses in PHP frameworks that have been exploited by threat actors are listed below –

  • CVE-2017-9841 – A Remote code execution vulnerability in PHPUnit
  • CVE-2021-3129 – A Remote code execution vulnerability in Laravel
  • CVE-2022-47945 – A Remote code execution vulnerability in ThinkPHP Framework

Qualys said it has also observed exploitation efforts that involve the use of “/?XDEBUG_SESSION_START=phpstorm” query string in HTTP GET requests to initiate an Xdebug debugging session with an integrated development environment (IDE) like PhpStorm.

“If Xdebug is unintentionally left active in production environments, attackers may use these sessions to gain insight into application behavior or extract sensitive data,” the company said.

Alternatively, threat actors are continuing to look for credentials, API keys, and access tokens in internet-exposed servers to take control of susceptible systems, as well as leverage known security flaws in IoT devices to co-opt them into a botnet. These include –

  • CVE-2022-22947 – A Remote code execution vulnerability in Spring Cloud Gateway
  • CVE-2024-3721 – A Command injection vulnerability in TBK DVR-4104 and DVR-4216
  • A Misconfiguration in MVPower TV-7104HE DVR that allows unauthenticated users to execute arbitrary system commands via an HTTP GET request

The scanning activity, Qualys added, often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

“Today’s threat actors don’t need to be highly sophisticated to be effective,” it noted. “With widely available exploit kits, botnet frameworks, and scanning tools, even entry-level attackers can cause significant damage.”

To safeguard against the threat, it’s advised that users keep their devices up-to-date, remove development and debug tools in production environments, secure secrets using AWS Secrets Manager or HashiCorp Vault, and restrict public access to cloud infrastructure.

“While botnets have previously been associated with large-scale DDoS attacks and occasional crypto mining scams, in the age of identity security threats, we see them taking on a new role in the threat ecosystem,” James Maude, field CTO at BeyondTrust, said.

“Having access to a vast network of routers and their IP addresses can allow threat actors to perform credential stuffing and password spray attacks a huge scale. Botnets can also evade geolocation controls by stealing a user’s credentials or hijacking a browser session and then using a botnet node close to the victim’s actual location and maybe even using the same ISP as the victim to evade unusual login detections or access policies.”

CIS Build Kits

The disclosure comes as NETSCOUT classified the DDoS-for-hire botnet known as AISURU as a new class of malware dubbed TurboMirai that can launch DDoS attacks that exceed 20 terabits per second (Tbps). The botnet primarily comprises consumer-grade broadband access routers, online CCTV and DVR systems, and other customer premise equipment (CPE).

“These botnets incorporate additional dedicated DDoS attack capabilities and multi-use functions, enabling both DDoS attacks and other illicit activities such as credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing,” the company said.

“AISURU includes an onboard residential proxy service used to reflect HTTPS application-layer DDoS attacks generated by external attack harnesses.”

Turning compromised devices into a residential proxy allows paying customers to route their traffic through one of the nodes in the botnet, offering anonymity and the ability to blend in with regular network activity. According to independent security journalist Brian Krebs, all of the major proxy services have grown exponentially over the past six months, citing data from spur.us.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
InventHelp Inventor Develops Mobile Device Case to Enhance Sound (CTK-1452)

InventHelp Inventor Develops Mobile Device Case to Enhance Sound (CTK-1452)

Recommended.

Stocks making the biggest moves after hours: Texas Instruments, Enphase Energy, Cal-Maine Foods and more

Stocks making the biggest moves after hours: Texas Instruments, Enphase Energy, Cal-Maine Foods and more

July 22, 2025
Best Website Builder with Domain (2026): Network Solutions Awarded Best All-in-One Website Builder and Hosting Provider by Better Business Advice

Best Website Builder with Domain (2026): Network Solutions Awarded Best All-in-One Website Builder and Hosting Provider by Better Business Advice

February 25, 2026

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio