Botnets Step Up Cloud Attacks Via Flaws, Misconfigurations

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Infamous botnets like Mirai are exploiting Web-exposed assets such as PHP servers, IoT devices, and cloud gateways to gain control over systems and build strength.October 29, 2025A series of known and powerful botnets are ramping up attacks against Web-exposed assets such as PHP servers, Internet of Things (IoT) devices, and cloud gateways to gain control over network resources and bolster their own strength for further malicious activity.These systems and devices are under an increasing threat from Mirai, Gafgyt, and Mozi botnets through automated campaigns that exploit known vulnerabilities and cloud misconfigurations. The security gaps allow the attackers to launch remote code execution (RCE) attacks, exfiltrate data, or turn the server into a vehicle for further malware distribution, the Qualys Threat Research Unit (TRU) revealed in a report published today."With PHP powering more than 73% of websites and 82% of enterprises reporting incidents linked to cloud misconfigurations, the modern attack surface has never been broader," read the report.This attack surface includes sensitive Amazon Web Services (AWS) credential files on exposed or misconfigured Linux servers, as well as insecure or legacy IoT devices with outdated firmware, weak protocols, and hardcoded credentials. Attackers also are targeting cloud-native environments through exposed APIs and misconfigured services, with attackers weaponizing known, largely critical flaws. Related:Cloud Outages Highlight the Need for Resilient, Secure Infrastructure RecoveryIn fact, recent network scanning activity found that attackers are exploiting a number of prominent cloud-based and networking services through their botnet activity, including thousands of source IPs originating from Google Cloud Platform (GCP), AWS, Microsoft Azure, Digital Ocean, and Akamai Cloud, among others, according to Qualys.According to the report, "This pattern aligns with how threat actors often abuse cloud resources, using cheap, temporary, or compromised computer instances to conduct reconnaissance and exploit attempts while masking their real origin."Take PHP, for example, which has become a foundational component for websites and Web applications, particularly within popular content management systems (CMS) such as WordPress. However, its ubiquity makes it an attractive target for botnets, especially because many of these deployments suffer from various insecurities like outdated versions and plug-ins, misconfigured file permissions, debugging components left enabled in production, and insecure file storage, according to Qualys.Moreover, there are critical vulnerabilities that, if unpatched, will continue to provide entry points for RCE and data compromise. Some of these most prominent flaws are: CVE-2022-47945, a critical RCE flaw in the ThinkPHP Framework that affects applications with multilanguage support enabled; CVE-2021-3129, an RCE vulnerability that affects Laravel applications and can be exploited by attackers to execute arbitrary code; and CVE-2017-9841, a long-standing vulnerability in PHPUnit, a widely used testing framework in PHP applications that allows unauthenticated attackers to execute arbitrary code remotely.Related:Microsoft Security Change for Azure VMs Creates PitfallsIoT devices also are coming under considerable fire from botnets through existing vulnerabilities, according to Qualys. Mirai and Mirai-like botnets, for example, are currently using a critical command injection flaw, tracked as CVE-2024-3721, that stems from insecure firmware logic affecting TBK DVR-4104 and DVR-4216 devices. Mirai variants also are targeting a misconfiguration in the MVPower TV-7104HE DVR device, which contains a built-in backdoor that allows unauthenticated users to execute arbitrary system commands via an HTTP GET request. Finally, cloud-native environments continue to be plagued by misconfigurations and other issues that allow for botnet exploitation, according to Qualys. In particular, Mirai and others use exposed APIs and misconfigured services to turn cloud resources into infrastructure that can be used for further malicious activity.Related:Microsoft Adds Agentic AI Capabilities to SentinelOne key flaw that the researchers said has been under particular attack recently is CVE-2022-22947, a critical RCE vulnerability in the Spring Cloud Gateway. The flaw allows unauthenticated attackers to execute arbitrary code via a maliciously crafted request to the /actuator/refresh endpoint.Given the increased threat of botnet activity against exposed Web-facing assets across organizations, Qualys suggested some security best practices to avoid compromise and prevent attackers from using organizations' infrastructure for malicious activity.One recommendation is obvious but is still something with which many organizations struggle, and that's to regularly update all software dependencies, libraries, and frameworks to ensure vulnerabilities are fixed. In containerized environments, Qualys said, organizations should always rebuild images with the latest base and application versions. Defenders also can reduce their attack surface by removing and/or disabling development and debug tools in production, as many of the exploited vulnerabilities exist because these tools are not disabled in production, according to the report. Organizations also should take extra steps to protect sensitive files and secrets, and avoid storing them in plaintext files — another obvious but common mistake that can lead to exploitation, according to Qualys. Instead, they should use a managed store like AWS Secrets Manager or HashiCorp Vault. Elizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.