Surge in Automated Botnet Attacks Targeting PHP Servers, IoT Devices, and Cloud Gateways

Cybersecurity researchers have reported a significant rise in automated cyberattacks aimed at compromising PHP servers, Internet of Things (IoT) devices, and cloud infrastructure gateways. The coordinated campaigns, driven by botnets such as Mirai, Gafgyt, and Mozi, are exploiting known vulnerabilities and misconfigurations to gain control over exposed systems and expand their attack networks.

According to a report from the Qualys Threat Research Unit (TRU), these attacks leverage common vulnerabilities (CVEs), outdated software, and insecure deployments to infect servers and build large-scale botnets capable of executing distributed denial-of-service (DDoS), credential stuffing, and data theft operations.

PHP Servers: The Primary Target

PHP-based environments, including WordPress, Craft CMS, and other popular content management systems (CMS), have become primary targets due to their widespread use and inconsistent security practices. Outdated plugins, weak configurations, and exposed debug tools significantly increase the attack surface.

Some of the most exploited PHP vulnerabilities include:

• CVE-2017-9841: Remote code execution flaw in PHPUnit

• CVE-2021-3129: Remote code execution in Laravel

• CVE-2022-47945: Remote code execution vulnerability in ThinkPHP Framework

Researchers also observed attackers exploiting the Xdebug debugging feature by sending specially crafted HTTP requests containing the query string /?XDEBUG_SESSION_START=phpstorm. If left active in production, this allows adversaries to interact with the server, gather sensitive data, or manipulate code execution.

IoT and Cloud Infrastructure Exploitation

The campaigns extend beyond web servers, targeting IoT systems and cloud gateways for remote code execution. Identified vulnerabilities include:

• CVE-2022-22947: RCE in Spring Cloud Gateway

• CVE-2024-3721: Command injection flaw in TBK DVR-4104 and DVR-4216

• MVPower TV-7104HE DVR Misconfiguration: Allows unauthenticated command execution via HTTP requests

The attacks often originate from major cloud providers—including AWS, Google Cloud, Microsoft Azure, Digital Ocean, and Akamai—demonstrating how threat actors abuse legitimate infrastructure to hide their true origin and amplify their attacks.

The New Role of Botnets in Modern Threats

Botnets were once primarily associated with DDoS attacks and cryptomining, but they now play a broader role in identity theft and access-based attacks. Modern botnets can perform:

• Credential stuffing and password spraying at scale

• Session hijacking and proxy-based evasion of geolocation or access policies

• AI-driven data scraping, phishing, and spam campaigns

Recent research from NETSCOUT introduced AISURU, a powerful DDoS-for-hire botnet categorized as a TurboMirai variant. AISURU’s attacks can exceed 20 terabits per second (Tbps) and involve residential proxy services, allowing attackers to disguise their traffic as legitimate by routing it through compromised routers and IoT devices.

Defensive Recommendations

Security experts recommend that organizations take proactive steps to mitigate these automated threats:

• Regularly update software and firmware to patch known vulnerabilities.

• Disable development and debugging tools in production environments.

• Protect API keys and credentials using secure storage systems such as AWS Secrets Manager or HashiCorp Vault.

• Limit public network exposure of cloud infrastructure and IoT devices.

As botnets evolve to incorporate artificial intelligence, automation, and proxy-based deception, securing even basic web or IoT deployments has become crucial to preventing their use in global cybercrime ecosystems.