Magnet Goblin Exploits Ivanti 1-Day Bug in Mere Hours

  /     /     /  
Publicated : 23/11/2024   Category : security


Magnet Goblin Exploits Ivanti 1-Day Bug in Mere Hours


A prolific but previously hidden threat actor turns public vulnerabilities into working exploits before companies have time to patch.



While
threat actors converged on Ivanti edge devices
earlier this year, one of them moved quicker than the rest, deploying a one-day exploit the day after its public disclosure.
Of the five vulnerabilities that came to light in recent months, CVE-2024-21887 stood out. The command injection vulnerability in Ivanti Connect Secure and Policy Secure gateways was rated a critical 9.1 out of 10 on the CVSS scale; it has since proven
a powerful launchpad for malicious developers
.
Magnet Goblin, recently named in
a Check Point research blog post
, was one of the fastest to capitalize on that potential. Within a day after the release of a proof-of-concept (PoC) exploit, the group had malware in-hand capable of exploiting it.
Its pretty quick, admits Sergey Shykevich, threat intelligence group manager at Check Point. More to the point, It showed that they have some kind of an ongoing process for how to do it — that its not the first time theyre exploiting public-facing services.
For some time now, the previously unnamed Magnet Goblin has been exploiting one-days in public-facing services, including the e-commerce platform Magento, the data analytics service Qlik Sense, and Apache ActiveMQ.
If it compromises a vulnerability in a device running Windows, Magnet Goblin often deploys a remote monitoring and management (RMM) tool, such as ConnectWises ScreenConnect or AnyDesk.
Its custom malware tools, however, work equally across Windows and Linux systems. They include Warpwire, a rudimentary Javascript VPN credential stealer, a relatively more advanced backdoor called NerbianRAT, and a scaled-down variant of NerbianRAT called MiniNerbian, used for command execution.
These malware examples have a better-than-average chance of flying under the radar, not so much because of their inherent sophistication but because theyre usually deployed against edge devices. That, and, Shykevich says, because they are focusing on Linux. More publications put more focus on Windows; also, there are currently better defensive capabilities for Windows.
It isnt just Magnet Goblin — other major threat actors, like the Raspberry Robin ransomware group, have been
whipping up one-day exploits
at rates never before seen.
For that reason, Shykevich advises, the main thing to do is patch as quickly as possible. Patch, patch, patch. Although, he adds, I hope companies have already patched. This recommendation is really not relevant, because if they havent already, statistically, someone has exploited them in these past two months.
Besides that, he encourages organizations to ensure their Linux servers and other Linux assets have endpoint protections.
Up to the last year-and-a-half, many organizations kind of neglected protecting Linux, because there are much fewer threat actors who work with Linux, generally, and less malware for it. But weve generally seen more and more focus on Linux from the bad guys, like the malware here, and more ransomware.
Its a trend.
he concludes. So I recommend people verify their Linux servers are protected no less than their Windows.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Magnet Goblin Exploits Ivanti 1-Day Bug in Mere Hours