Security researchers have uncovered a trend involving the exploitation of 1-day vulnerabilities, including two in Ivanti Connect Secure VPN. The flaws, identified as CVE-2023-46805 and CVE-2023-21887, were quickly exploited by multiple threat actors, leading to various malicious activities.
Tracking these exploits, the Check Point Research team said it encountered a cluster of activities attributed to a threat actor dubbed Magnet Goblin.
The actor has been observed methodically leveraging 1-day vulnerabilities, particularly targeting edge devices like the Ivanti Connect Secure VPN. Magnet Goblin uses custom Linux malware to pursue financial gain.
These exploits involve the deployment of malware via a range of methods, including the exploitation of vulnerabilities in Magento, Qlik Sense and potentially Apache ActiveMQ. Detailed in an advisory published on Friday, the researchers' investigation revealed a sophisticated infrastructure behind Magnet Goblin's operations.
They found evidence of the deployment of payloads such as WARPWIRE JavaScript credential stealers and Ligolo tunneling tools.
The threat actor's activities extended beyond Linux environments, with some instances targeting Windows systems using tools like ScreenConnect and AnyDesk, suggesting a wide-ranging and adaptable approach.
CPR said the analysis of NerbianRAT variants sheds light on the intricacies of the malware's operation.
From initialization to command-and-control, the malware exhibits a sophisticated design, allowing for flexibility in executing various actions on infected machines.
MiniNerbian, a simplified version of NerbianRAT, further showcases the threat actor's adaptability and stealthy tactics.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Mon, 11 Mar 2024 17:00:16 +0000