Security researchers have uncovered a trend involving the exploitation of 1-day vulnerabilities, including two in Ivanti Connect Secure VPN.
The flaws, identified as CVE-2023-46805 and CVE-2023-21887, were quickly exploited by multiple threat actors, leading to various malicious activities. Tracking these exploits, the Check Point Research (CPR) team said it encountered a cluster of activities attributed to a threat actor dubbed Magnet Goblin.
The actor has been observed methodically leveraging 1-day vulnerabilities, particularly targeting edge devices like the Ivanti Connect Secure VPN. Magnet Goblin uses custom Linux malware to pursue financial gain.
These exploits involve the deployment of malware via a range of methods, including the exploitation of vulnerabilities in Magento, Qlik Sense and potentially Apache ActiveMQ.
Detailed in an advisory published on Friday, the researchers’ investigation revealed a sophisticated infrastructure behind Magnet Goblin’s operations. They found evidence of the deployment of payloads such as WARPWIRE JavaScript credential stealers and Ligolo tunneling tools.
Read more on similar attacks: Two Ivanti Zero-Days Actively Exploited in the Wild
Furthermore, the threat actor’s activities extended beyond Linux environments, with some instances targeting Windows systems using tools like ScreenConnect and AnyDesk, suggesting a wide-ranging and adaptable approach.
CPR said the analysis of NerbianRAT variants sheds light on the intricacies of the malware’s operation. From initialization to command-and-control, the malware exhibits a sophisticated design, allowing for flexibility in executing various actions on infected machines. Additionally, MiniNerbian, a simplified version of NerbianRAT, further showcases the threat actor’s adaptability and stealthy tactics.
“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian,” warned CPR.
“Those tools have operated under the radar as they mostly reside on edge devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”