March 12, 2024 at 04:11PM
Threat actors targeted Ivanti edge devices earlier this year. One-day exploit CVE-2024-21887 in Ivanti Connect Secure and Policy Secure gateways, rated 9.1/10, was quickly capitalized on by “Magnet Goblin.” Known for exploiting one-days in public-facing services, this group deploys malware capable of flying under the radar, emphasizing the need for prompt patching and Linux server protection.
Key Takeaways from Meeting Notes:
1. Multiple threat actors, including Magnet Goblin, have been exploiting one-day vulnerabilities in public-facing services such as Ivanti Connect Secure, Policy Secure gateways, Magento, Qlik Sense, and Apache ActiveMQ.
2. Magnet Goblin is known for being particularly quick at capitalizing on vulnerabilities, especially in devices running Windows, where it often deploys remote monitoring and management (RMM) tools.
3. These exploits are more likely to target edge devices and often go undetected due to the focus on Linux, where defensive capabilities are currently not as strong as for Windows.
4. Shykevich emphasizes the urgency of patching vulnerabilities as quickly as possible, as the exploitation window is often very short. He also stresses the importance of ensuring endpoint protection for Linux servers, as there is an increasing focus on exploiting Linux systems by threat actors.
Overall, the notes underscore the critical need for timely patching of vulnerabilities and stronger endpoint protection for Linux servers in response to the evolving tactics of threat actors like Magnet Goblin.