Magnet Goblin Exploits 1-Day Flaws: Act Now!

The group known as Magnet Goblin has been actively exploiting vulnerabilities in publicly accessible servers to deploy malware on Windows and Linux systems.

This group focuses on exploiting 1-day vulnerabilities—security flaws that have been disclosed and patched, requiring swift action from adversaries before the targeted systems are updated.

Check Point analysts, who uncovered Magnet Goblin’s activities, observed the group’s eagerness to exploit vulnerabilities immediately after the publication of exploit proof-of-concept (PoC). Targets of these attacks include devices or services such as Ivanti Connect Secure, Apache ActiveMQ, ScreenConnect, Qlik Sense, and Magento, whose utilization leads to server infections with specialized malware, including NerbianRAT and MiniNerbian, as well as a custom JavaScript malware variant WARPWIRE for credential theft.

An analysis of the infrastructure involved in campaigns against Magento and Ivanti revealed the use of additional tools for Linux and Windows, including the ScreenConnect program. A possible connection to the ransomware CACTUS, utilized in attacks on the Qlik Sense business analytics platform, was also noted.

Particular attention is given to the Linux malware NerbianRAT, known since 2022, and its simplified version MiniNerbian. Both versions are capable of gathering system information, executing Command and Control (C2) server commands, and facilitating encrypted communication. Experts note that MiniNerbian uses HTTP for data transmission and is active only during specific hours.

Magnet Goblin employs its tools to maintain persistent control over compromised systems, utilizing various communication methods: MiniNerbian communicates via HTTP, while NerbianRAT uses raw TCP sockets.

According to Check Point, identifying specific threats like Magnet Goblin’s attacks among all 1-day exploit data poses a challenging task. This issue allows hackers to remain undetected amidst the chaos following the disclosure of vulnerabilities.

To counter the exploitation of 1-day vulnerabilities, the timely application of patches is critically important. Additional measures, such as network segmentation, endpoint protection, and multi-factor authentication, can help mitigate the risk and impact of potential breaches.