March 11, 2024 at 08:09AM
Check Point reports that the financially motivated threat actor, Magnet Goblin, has been exploiting one-day vulnerabilities in public-facing services to deploy Linux backdoors. The actor targeted various vulnerabilities, including in Ivanti VPNs, Magento, and Qlik Sense. Check Point warns of ongoing trends for threat actors to target under-protected areas.
Based on the meeting notes, it was reported that a threat actor called Magnet Goblin has been targeting one-day vulnerabilities in public-facing services to deploy Linux backdoors. They have rapidly adopted these vulnerabilities, especially in edge devices, and have been using the Nerbian custom malware family for their malicious activities.
Magnet Goblin has specifically targeted publicly disclosed vulnerabilities in Ivanti VPNs, Magento, Qlik Sense, and possibly Apache ActiveMQ. During an attack exploiting Ivanti flaws, they deployed a JavaScript credential stealer called Warpwire, a Linux variant of the NerbianRAT backdoor, and the open-source tunneling tool Ligolo.
The meeting notes also discuss the connection between Warpwire and the mass exploitation of Ivanti vulnerabilities, suggesting that multiple threat actors might be utilizing it. Additionally, it was noted that Magnet Goblin has used remote monitoring and management tools like ScreenConnect and AnyDesk.
The backdoors used by Magnet Goblin, the Linux variant of NerbianRAT and MiniNerbian, allow for various actions and provide the threat actor with flexibility to operate stealthily on infected machines. Both backdoors share some code but appear to be different malware with similar functions.
Finally, it was concluded that Magnet Goblin’s campaigns seem to be financially motivated, and they have been quick to adopt one-day vulnerabilities to deliver their custom Linux malware. They target areas such as edge devices that have been traditionally less protected.
Additionally, the meeting notes included information on related cyber threats, such as Chinese cyberspies using new malware in Ivanti VPN attacks, Redis servers being targeted with new ‘Migo’ malware, and the widespread exploitation of the ‘SlashAndGrab’ ScreenConnect vulnerability for malware delivery.
Let me know if you need any further information or specific action items to be derived from these meeting notes.