Botnets Step Up Cloud Attacks Via Flaws, Misconfigs TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesbyRob WrightOct 29, 20254 Min ReadApplication SecurityAI-Generated Code Poses Security, Bloat ChallengesAI-Generated Code Poses Security, Bloat ChallengesbyRobert Lemos, Contributing WriterOct 29, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLСloud SecurityIoTCyber RiskThreat IntelligenceNewsBotnets Step Up Cloud Attacks Via Flaws, MisconfigurationsBotnets Step Up Cloud Attacks Via Flaws, MisconfigurationsBotnets Step Up Cloud Attacks Via Flaws, MisconfigurationsInfamous botnets like Mirai are exploiting Web-exposed assets such as PHP servers, IoT devices, and cloud gateways to gain control over systems and build strength.Elizabeth Montalbano, Contributing WriterOctober 29, 20254 Min ReadSource: BeeBright via ShutterstockA series of known and powerful botnets are ramping up attacks against Web-exposed assets such as PHP servers, Internet of Things (IoT) devices, and cloud gateways to gain control over network resources and bolster their own strength for further malicious activity.These systems and devices are under an increasing threat from Mirai, Gafgyt, and Mozi botnets through automated campaigns that exploit known vulnerabilities and cloud misconfigurations. The security gaps allow the attackers to launch remote code execution (RCE) attacks, exfiltrate data, or turn the server into a vehicle for further malware distribution, the Qualys Threat Research Unit (TRU) revealed in a report published today."With PHP powering more than 73% of websites and 82% of enterprises reporting incidents linked to cloud misconfigurations, the modern attack surface has never been broader," read the report.This attack surface includes sensitive Amazon Web Services (AWS) credential files on exposed or misconfigured Linux servers, as well as insecure or legacy IoT devices with outdated firmware, weak protocols, and hardcoded credentials. Attackers also are targeting cloud-native environments through exposed APIs and misconfigured services, with attackers weaponizing known, largely critical flaws. Related:Microsoft Security Change for Azure VMs Creates PitfallsIn fact, recent network scanning activity found that attackers are exploiting a number of prominent cloud-based and networking services through their botnet activity, including thousands of source IPs originating from Google Cloud Platform (GCP), AWS, Microsoft Azure, Digital Ocean, and Akamai Cloud, among others, according to Qualys.According to the report, "This pattern aligns with how threat actors often abuse cloud resources, using cheap, temporary, or compromised computer instances to conduct reconnaissance and exploit attempts while masking their real origin."Threats to Web, IoT and CloudTake PHP, for example, which has become a foundational component for websites and Web applications, particularly within popular content management systems (CMS) such as WordPress. However, its ubiquity makes it an attractive target for botnets, especially because many of these deployments suffer from various insecurities like outdated versions and plug-ins, misconfigured file permissions, debugging components left enabled in production, and insecure file storage, according to Qualys.Moreover, there are critical vulnerabilities that, if unpatched, will continue to provide entry points for RCE and data compromise. Some of these most prominent flaws are: CVE-2022-47945, a critical RCE flaw in the ThinkPHP Framework that affects applications with multilanguage support enabled; CVE-2021-3129, an RCE vulnerability that affects Laravel applications and can be exploited by attackers to execute arbitrary code; and CVE-2017-9841, a long-standing vulnerability in PHPUnit, a widely used testing framework in PHP applications that allows unauthenticated attackers to execute arbitrary code remotely.Related:Microsoft Adds Agentic AI Capabilities to SentinelIoT devices also are coming under considerable fire from botnets through existing vulnerabilities, according to Qualys. Mirai and Mirai-like botnets, for example, are currently using a critical command injection flaw, tracked as CVE-2024-3721, that stems from insecure firmware logic affecting TBK DVR-4104 and DVR-4216 devices. Mirai variants also are targeting a misconfiguration in the MVPower TV-7104HE DVR device, which contains a built-in backdoor that allows unauthenticated users to execute arbitrary system commands via an HTTP GET request. Finally, cloud-native environments continue to be plagued by misconfigurations and other issues that allow for botnet exploitation, according to Qualys. In particular, Mirai and others use exposed APIs and misconfigured services to turn cloud resources into infrastructure that can be used for further malicious activity.Related:Patch Now: 'RediShell' Threatens Cloud Via Redis RCEOne key flaw that the researchers said has been under particular attack recently is CVE-2022-22947, a critical RCE vulnerability in the Spring Cloud Gateway. The flaw allows unauthenticated attackers to execute arbitrary code via a maliciously crafted request to the /actuator/refresh endpoint.Adopt Security Best PracticesGiven the increased threat of botnet activity against exposed Web-facing assets across organizations, Qualys suggested some security best practices to avoid compromise and prevent attackers from using organizations' infrastructure for malicious activity.One recommendation is obvious but is still something with which many organizations struggle, and that's to regularly update all software dependencies, libraries, and frameworks to ensure vulnerabilities are fixed. In containerized environments, Qualys said, organizations should always rebuild images with the latest base and application versions. Defenders also can reduce their attack surface by removing and/or disabling development and debug tools in production, as many of the exploited vulnerabilities exist because these tools are not disabled in production, according to the report. Organizations also should take extra steps to protect sensitive files and secrets, and avoid storing them in plaintext files — another obvious but common mistake that can lead to exploitation, according to Qualys. Instead, they should use a managed store like AWS Secrets Manager or HashiCorp Vault. About the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsModern DevSecOps: 6 Best Practices for AI-Accelerated SecurityThriving in the Age of AI: 6 Best Practices for Secure InnovationExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The article highlights a growing threat posed by botnets such as Mirai, Gafgyt, and Mozi, which are increasingly leveraging vulnerabilities and misconfigurations in web-facing assets, cloud infrastructure, and Internet of Things (IoT) devices to expand their networks and execute malicious activities. According to a report by the Qualys Threat Research Unit (TRU), these botnets are exploiting automated campaigns targeting systems like PHP servers, outdated IoT devices, and misconfigured cloud environments. The report underscores that the modern attack surface has expanded significantly due to factors such as the widespread use of PHP, which powers over 73% of websites and 82% of enterprises experiencing incidents linked to cloud misconfigurations. Attackers are capitalizing on weaknesses in these systems, including unpatched software, insecure APIs, and exposed credentials, to launch remote code execution (RCE) attacks, exfiltrate data, or repurpose servers for further malware distribution. The report emphasizes that cloud-based resources, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, are being abused by threat actors to mask their origins through temporary or compromised instances, enabling reconnaissance and exploitation activities.

A key focus of the report is the vulnerability of PHP-based systems, which remain a critical entry point for botnets. Many websites and applications built on content management systems (CMS) like WordPress rely on PHP, but outdated versions, misconfigured file permissions, and enabled debugging components in production environments create exploitable gaps. Specific vulnerabilities highlighted include CVE-2022-47945, a critical RCE flaw in the ThinkPHP Framework that affects multilingual applications; CVE-2021-3129, which targets Laravel applications and allows attackers to execute arbitrary code; and CVE-2017-9841, a long-standing vulnerability in PHPUnit that enables unauthenticated remote code execution. These flaws underscore the risks associated with delayed patching and the persistence of legacy systems in modern infrastructure. Additionally, IoT devices are under significant pressure from botnets, with Mirai and similar networks exploiting weaknesses in firmware logic. For instance, the CVE-2024-3721 command injection flaw in TBK DVR-4104 and DVR-4216 devices, as well as a misconfigured backdoor in the MVPower TV-7104HE DVR, provide attackers with pathways to execute arbitrary system commands. The report also notes that cloud-native environments are particularly vulnerable due to exposed APIs and misconfigured services, with the Spring Cloud Gateway vulnerability CVE-2022-22947 being a prime example. This flaw allows unauthenticated attackers to exploit the /actuator/refresh endpoint, leading to remote code execution and potential system compromise.

The article stresses that the proliferation of these threats is exacerbated by systemic security oversights, such as the storage of sensitive credentials in plaintext files and the failure to disable development tools in production environments. Qualys recommends that organizations adopt proactive security measures, including regular updates to software dependencies and frameworks, the use of containerized environments with updated base images, and the implementation of secret management solutions like AWS Secrets Manager or HashiCorp Vault. Defenders are also advised to remove or disable unnecessary tools and debug components in production, as many exploited vulnerabilities stem from these leftover elements. Furthermore, the report emphasizes the importance of securing cloud configurations to prevent unauthorized access to APIs and services, which can be exploited as infrastructure for botnet operations. The findings align with broader trends in cybersecurity, where the convergence of cloud adoption and legacy infrastructure creates fertile ground for sophisticated attacks.

The article also touches on the broader implications of these threats, noting that the increasing reliance on cloud services and IoT devices has expanded the attack surface for malicious actors. The Qualys TRU report highlights how botnets are adapting their strategies to exploit emerging technologies, such as containerized environments and cloud-native architectures, which require specialized security protocols. The piece underscores the need for organizations to prioritize threat intelligence and continuous monitoring, as attackers are increasingly using compromised cloud instances to conduct reconnaissance and launch further exploits. By addressing these vulnerabilities through comprehensive security practices, enterprises can mitigate the risks posed by botnets while safeguarding their digital assets. The report serves as a call to action for businesses to reassess their security postures, particularly in light of the growing sophistication and persistence of cyber threats targeting both traditional and modern infrastructure.

The author, Elizabeth Montalbano, a freelance writer with expertise in technology and cybersecurity, contextualizes these findings within the broader landscape of digital security challenges. Her analysis reflects the urgency of addressing systemic weaknesses in software and infrastructure, as well as the need for proactive measures to counteract the evolving tactics of botnet operators. The article concludes by reinforcing that while the threat landscape is complex and dynamic, adopting best practices such as regular patching, secure configuration management, and robust access controls can significantly reduce the risk of exploitation. By staying vigilant and implementing these strategies, organizations can better defend against the persistent and adaptive nature of botnet-driven attacks.