Experts Reports Sharp Increase In Automated Botnet Attacks Tar...
Cybersecurity researchers are calling attention to a spike in automated attacks targeting PHP servers, IoT devices, and cloud gateways by various botnets such as Mirai, Gafgyt, and Mozi.
"These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks," the Qualys Threat Research Unit (TRU) said in a report shared with The Hacker News.
The cybersecurity company said PHP servers have emerged as the most prominent targets of these attacks owing to the widespread use of content management systems like WordPress and Craft CMS. This, in turn, creates a large attack surface as many PHP deployments can suffer from misconfigurations, outdated plugins and themes, and insecure file storage.
Some of the prominent weaknesses in PHP frameworks that have been exploited by threat actors are listed below -
Qualys said it has also observed exploitation efforts that involve the use of "/?XDEBUG_SESSION_START=phpstorm" query string in HTTP GET requests to initiate an Xdebug debugging session with an integrated development environment (IDE) like PhpStorm.
"If Xdebug is unintentionally left active in production environments, attackers may use these sessions to gain insight into application behavior or extract sensitive data," the company said.
Alternatively, threat actors are continuing to look for credentials, API keys, and access tokens in internet-exposed servers to take control of susceptible systems, as well as leverage known security flaws in IoT devices to co-opt them into a botnet. These include -
The scanning activity, Qualys added, often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.
"Today's threat actors don't need to be highly sophisticated to be effective," it noted. "With widely available exploit kits, botnet frameworks, and scanning tools, even entry-level attackers can cause significant damage."
To safeguard against the threat, it's advised that users keep their devices up-to-date, remove development and debug tools in production environments, secure secrets using AWS Secrets Manager or HashiCorp Vault, and restrict public access to cloud infrastructure.
Source: The Hacker News
