There's yet another group of miscreants out there hijacking insecure Ivanti devices: A new, financially motivated gang dubbed Magnet Goblin has emerged from the shadowy digital depths with a knack for rapidly exploiting newly disclosed vulnerabilities before vendors have issued a fix.
The cybercrime crew has targeted US medical, manufacturing, and energy-sector organizations, according to Check Point, which said it spotted Magnet Goblin abusing security holes in Ivanti's code to break into networks back in January just one day after a proof-of-concept, or PoC, exploit was made public.
Specifically, the crooks appear to have hit vulnerable Ivanti Connect Secure VPN servers, compromising that equipment and using those footholds to deploy backdoors in victims' IT environments.
Please make sure you're patched or have mitigations in place, and have checked for indications of compromise, if you're using Ivanti gear to secure your stuff.
Speaking of Ivanti and its security, it turns out CISA was in all probability a victim.
The US government's top cybersecurity agency on Friday confirmed it was among the 15 federal agencies that had been using flawed Ivanti VPN servers.
CISA has evidence its gear was compromised.
On Friday, Shykevich's team shared its research about Magnet Goblin.
We're told the cyber-gang deployed remote-control and data-stealing malware after breaking into organizations via Ivanti holes, malware that was submitted to VirusTotal as early as January 2022 and also used in attacks against Adobe Magento 2 that same year.
This malicious software included MiniNerbian, a Linux backdoor used in those Magento 2 attacks, as well as a newer, novel Linux version of NerbianRAT, and a JavaScript credential stealer called WARPWIRE. The crew also uses legit remote monitoring and management tools such as ScreenConnect and AnyDesk once inside victims' IT environments, which makes their illicit activities a little more difficult to detect.
Check Point said it first spotted the criminal gang while it was tracking the Ivanti Connect Secure vulnerabilities.
While the US government's Cybersecurity and Infrastructure Security Agency along with private-sector security analysts at Mandiant and Volexity initially linked these attacks to Chinese government-sponsored crews, including Bejing-backed Volt Typhoon, all types of cybercriminals soon jumped into the fray.
Despite the quick turnaround, from when the bugs were disclosed in the Ivanti devices to when Magnet Goblin began exploiting them, Shykevich said his threat intel team can't definitely connect this gang to a specific region or existing crime group.
Check Point did link Magnet Goblin's infrastructure to the Qlink Sense exploits reported in late November and early December.
After using the Qlink Sense bugs to gain initial access, security researchers at Arctic Wolf said at least some of the miscreants then infected victims with Cactus ransomware.
This Cyber News was published on www.theregister.com. Publication date: Sun, 10 Mar 2024 18:44:04 +0000