Magnet Goblin exploits 1-day vulnerabilities to attack Windows and Linux

Check Point researchers have discovered a new financially motivated hack group, Magnet Goblin. The group prefers to exploit fresh vulnerabilities in products such as Ivanti Connect Secure, Apache ActiveMQ and ConnectWise ScreenConnect, distributing the cross-platform Nerbian RAT, MiniNerbian, and the WARPWIRE information stealer.

According to experts, hackers have already attacked organizations in the US medical, manufacturing and energy sectors. Apparently, during the Magnet Goblin attacks, vulnerable Ivanti Connect Secure VPN servers were hacked (just a day after the PoC exploit appeared), and then used them as a springboard to deploy their malware in the IT environments of the victims.

It is noted that researchers have identified at least 10 affected organizations in the United States, but the real number of victims is likely much higher.

Magnet Goblin has been confirmed to have exploited vulnerabilities in Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893), Apache ActiveMQ, ConnectWise ScreenConnect and Qlik Sense (CVE-2023-41265, CVE-2023-41266, CVE-2023-48365), as well as in Magento (CVE-2022-24086).

At the time of the attacks, all of the problems listed were 1-day vulnerabilities. That is, information about them had already been publicly disclosed, the manufacturers had already released patches, but the vulnerabilities were very recent, and not all of the released fixes had time to be installed.

As mentioned above, the group uses vulnerabilities to infect systems with malware such as NerbianRAT, MiniNerbian, as well as a custom version of the WARPWIRE JavaScript stealer.

The existence of NerbianRAT for Windows has been known since 2022, but now Check Point reports that Magnet Goblin uses a very effective Linux version of this malware, which is dated May 2022. The group also uses a simplified version of this malware called MiniNerbian as a backup malware, as well as a more secretive backdoor.

Magnet Goblin exploits 1-day vulnerabilities to attack Windows and Linux

Both threats allow you to collect information about the system, as well as execute arbitrary commands received from the command and control server, then transmitting back the results.

It is also noted that in compromised victim systems, hackers also use legitimate tools for remote monitoring and control, including ScreenConnect and AnyDesk, which further complicates the detection of suspicious activity.

Magnet Goblin exploits 1-day vulnerabilities to attack Windows and Linux

Researchers conclude that Magnet Goblin are financially motivated opportunists, and the group has not yet been linked to a specific geographic location or other criminals.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment