The threat landscape is always shifting, with traditional tactics and tools often reemerging as attack trends and technological advances make them more profitable once more. The Threat Research Unit (TRU) at Qualys recently discovered a resurgence in botnets built on related code, primarily Gafgyt, Mirai, and Mozi. These botnets—first appearing in 2014, 2016, and 2019 respectively—have evolved over time from consumer-grade IoT exploits to advanced multi-vector campaigns targeting PHP servers, cloud services, and gateways.
PHP: The Web’s Soft Underbelly
The scripting language PHP is ubiquitous on the internet, used by 73% of all websites with known server-side programming languages. As an open-source language with community support and compatibility across platforms, there are a number of notable advantages to using PHP for web development. Unfortunately, the widespread popularity of PHP is a double-edged sword, posing risks alongside the benefits it offers.
Qualys TRU found that many of the sites deploying PHP suffer from vulnerabilities like outdated versions and plugins, misconfigured file permissions, leftover enabled debugging modules, and insecure storage of files. These errors make PHP a prime target for attacks like the Craft CMS zero-day breach. In this incident, attackers took advantage of a flaw that could enable an unauthenticated user to send requests to endpoints in order to place and execute PHP code on target servers.
Cloud Misconfigurations: The New Open Door
Misconfigurations are some of the most pressing risks in many different contexts, as organizations and individual users alike commonly fail to ensure that all settings are properly configured for operational and security purposes. Misconfigured settings in cloud environments can offer attackers an easy path to infiltrating and compromising entire systems.
Exposed secrets, API keys, and plaintext credentials are fueling large-scale intrusions by offering up the sensitive information that threat actors need on a silver platter. Qualys TRU identified ongoing attacker attempts to gain access to sensitive AWS credential files, part of a broader trend of leakage and theft of secrets and credentials in DevOps pipeline exposure.
IoT and Legacy Devices: The Forgotten Battlefield
The exploitation of outdated IoT devices with insecure firmware or hardcoded credentials is a major factor in modern threats, as attackers continue to take advantage of legacy devices. By exploiting vulnerabilities in outdated endpoints, threat actors can gain persistent footholds for lateral movement into enterprise networks.
“Routers and IoT devices have long been targeted and compromised to form increasingly large botnets,” according to James Maude, Field CTO at BeyondTrust. “Almost a decade ago, we saw the rise of the Mirai botnet, which initially abused 60 default usernames and passwords to log into and infect a huge number of devices. Later, Mirai evolved to exploit zero days in Huawei, DLink, and Netgear routers.” Attackers have long favored attacks that take advantage of easily compromised endpoints like the interconnected and often outdated IoT devices used by many organizations.
From Automation to Autonomy: The Rise of Machine-Led Exploits
As the AI explosion has offered organizations a number of effective tools for carrying out business operations and security processes, it has also made it easier for threat actors to launch massive volumes of attacks with higher success rates. Attackers have begun using AI for a wide range of purposes, from creating highly convincing phishing messages and deepfakes to composing malicious code.
The usage of AI-enhanced tools enables the increasing automation of exploitation campaigns, where AI-assisted reconnaissance and self-updating botnets adapt faster than traditional patch cycles. Attackers, with fewer ethical and operational requirements for protecting themselves, are able to adopt new tools more easily than enterprises can, and security updates struggle to keep up with rapidly advancing attack tactics and evolving autonomous technology.
Defense in Depth for a Borderless Web
Saeed Abbasi, Senior Manager, Product Management for Security Research at Qualys TRU, emphasizes the importance of proactive hardening and unified visibility incorporating threat intelligence and risk-based prioritization: “This foundation is what guides a focused response, enabling immediate tactical remediation to patch, harden, and decommission your most critical assets first, followed by thorough configuration audits and proactive threat hunting to address hidden risks.”
Based on the findings from Qualys TRU, organizations should take steps to ensure protection against these evolving tactics. It is crucial to maintain updated instances of PHP, enforce the principle of least privilege for access to cloud environments, scan for exposed secrets, and deploy continuous configuration monitoring to address these common vulnerabilities.
