The threat actor group Magnet Goblin is rapidly exploiting newly disclosed vulnerabilities to target public-facing servers and edge devices, warned Check Point. The gang has been active since at least January 2022 and has used unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers to gain unauthorized access.
Diving into details
- This particular instance was an Ivanti Connect Secure exploitation campaign that resulted in the deployment of a Linux version of a malware called NerbianRAT and a JavaScript credential stealer named WARPWIRE.
- Magnet Goblin’s arsenal also includes MiniNerbian, a small Linux backdoor, and RMM tools for Windows.
- After gaining unauthorized access through unpatched servers, the threat actor deploys the Nerbian RAT and MiniNerbian to execute arbitrary commands and exfiltrate data from compromised hosts.
- The campaign seems to be financially motivated, and the attackers are focusing on areas that have typically been left unprotected.
- The group’s use of 1-day vulnerabilities and custom Linux malware highlights a trend of targeting previously unprotected edge devices for financial gain.
Beware of these latest threats
- Most recently, the North Korean Kimsuky APT group was found exploiting vulnerabilities in ConnectWise ScreenConnect software to deploy ToddlerShark malware for long-term espionage and data exfiltration.
- The ToddlerShark malware uses polymorphic traits, legitimate Microsoft binaries, and unique C2 URLs, making it challenging to detect and establish persistence on infected devices.
- In February, a campaign by the hacking group UAC-0184 used steganography to deliver the Remcos RAT to a Ukrainian entity in Finland.
- The attack began with phishing emails impersonating Ukrainian and Israeli military entities, leading to the download of the IDAT Loader.
The bottom line
The Magnet Goblin campaign showcases the urgent need for robust cybersecurity defenses against rapidly evolving threats. Exploiting 1-day vulnerabilities, this group’s attacks on public-facing servers underscore the critical importance of timely patching and continuous monitoring to protect against sophisticated cyber threats.