Overview
- Qualys TRU details a sharp rise in automated campaigns by Mirai-, Gafgyt- and Mozi-style botnets against internet-exposed PHP apps, IoT gear and gateway software.
- PHP deployments are prime targets due to CMS-driven sprawl, with active exploitation of CVE-2017-9841 (PHPUnit), CVE-2021-3129 (Laravel Ignition) and CVE-2022-47945 (ThinkPHP).
- Attackers probe for active Xdebug sessions, attempt to pull AWS credential files, and exploit issues such as CVE-2022-22947 in Spring Cloud Gateway and CVE-2024-3721 in TBK DVRs plus MVPower DVR backdoors.
- Scanning frequently originates from infrastructure hosted on AWS, Google Cloud, Microsoft Azure, DigitalOcean and Akamai, obscuring true operator locations.
- NETSCOUT highlights AISURU “TurboMirai” as a multi-use botnet class combining >20 Tbps DDoS capacity with residential proxying and credential abuse; experts urge patching, removing debug tools, securing secrets and tightening access.