Hackers exploit unpatched Ivanti vulnerabilities to deploy malware on Linux systems.
Magnet Goblin targets businesses using outdated software.
Patch immediately and implement strong security measures to protect against these attacks.
Cybersecurity researchers at Check Point are warning of a malicious campaign targeting one-day vulnerabilities in Ivanti and other security software products, potentially impacting a wide range of organizations.
The culprit behind this campaign is a financially motivated hacker group known as Magnet Goblin.
This group has been active since January 2022 and specializes in leveraging newly disclosed vulnerabilities, targeting public-facing servers and edge devices.
According to Check Point's research, Magnet Goblin is using one-day security vulnerabilities to breach edge devices and public-facing services and deploy custom malware on Linux systems.
For your information, after zero-day vulnerabilities are disclosed publicly and patches are released, they are referred to as one-day vulnerabilities.
The attackers exploit unpatched servers like Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ to deploy a cross-platform remote access trojan called Nerbian RAT, first documented by Proofpoint in 2022.
It also utilized Nerbian RAT's simplified variant, MiniNerbian, which allows arbitrary command execution from a C2 server.
NerbianRAT is downloaded from compromised systems with critical Ivanti Connect Secure flaws.
While researching, CheckPoint discovered a 1-day vulnerability infection that led to the download of the NerbianRAT Linux variant.
The variant was used to execute various malicious activities on compromised systems, including modifying connection intervals, work time settings, and updating configuration variables.
They used a JavaScript credential stealer called Warpwire and the open-source tunnelling tool Ligolo to exploit these vulnerabilities.
Warpwire stealer is linked to mass Ivanti vulnerability exploitation and was used in a 2022 Magento server attack.
They used remote monitoring tools ScreenConnect and AnyDesk, targeting Qlik Sense and Apache ActiveMQ. It is worth noting that Ivanti issued a public advisory in January for CVE-2024-21887, a command injection vulnerability, urging users to patch their systems against wild exploitations.
Check Point found that Magnet Goblin exploitations occurred within a day of patch issuance, targeting systems not yet patched with available fixed updates.
Organisations of all sizes relying on Ivanti software for endpoint management and security are at potential risk.
This includes companies in various sectors that utilize Ivanti to safeguard their critical infrastructure.
Patching Ivanti software is necessary to prevent exploitation along with increased monitoring, and adopting a layered security approach, including implementing Endpoint Detection and Response solutions to strengthen the overall security of the network and devices.
This Cyber News was published on www.hackread.com. Publication date: Mon, 11 Mar 2024 18:43:51 +0000