"The cybersecurity company said PHP servers have emerged as the most prominent targets of these attacks owing to the widespread use of content management systems like WordPress and Craft CMS. This, in turn, creates a large attack surface as many PHP deployments can suffer from misconfigurations, outdated plugins and themes, and insecure file storage. Some of the prominent weaknesses in PHP frameworks that have been exploited by threat actors are listed below - CVE-2017-9841 - A Remote code execution vulnerability in PHPUnit CVE-2021-3129 - A Remote code execution vulnerability in Laravel CVE-2022-47945 - A Remote code execution vulnerability in ThinkPHP Framework"
"Qualys said it has also observed exploitation efforts that involve the use of "/?XDEBUG_SESSION_START=phpstorm" query string in HTTP GET requests to initiate an Xdebug debugging session with an integrated development environment (IDE) like PhpStorm. "If Xdebug is unintentionally left active in production environments, attackers may use these sessions to gain insight into application behavior or extract sensitive data," the company said."
"Alternatively, threat actors are continuing to look for credentials, API keys, and access tokens in internet-exposed servers to take control of susceptible systems, as well as leverage known security flaws in IoT devices to co-opt them into a botnet. These include - CVE-2022-22947 - A Remote code execution vulnerability in Spring Cloud Gateway CVE-2024-3721 - A Command injection vulnerability in TBK DVR-4104 an"
A spike in automated attacks targets PHP servers, IoT devices, and cloud gateways, driven by botnets such as Mirai, Gafgyt, and Mozi. These campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks. PHP servers are prime targets due to widespread use of content management systems like WordPress and Craft CMS, which often present misconfigurations, outdated plugins and themes, and insecure file storage. Exploited PHP framework flaws include CVE-2017-9841 (PHPUnit), CVE-2021-3129 (Laravel), and CVE-2022-47945 (ThinkPHP). Attackers also abuse Xdebug sessions via the "/?XDEBUG_SESSION_START=phpstorm" query string and harvest credentials, API keys, and access tokens from internet-exposed servers. Known IoT and gateway vulnerabilities under exploitation include CVE-2022-22947 (Spring Cloud Gateway) and CVE-2024-3721 (TBK DVR-4104).
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]