The financially motivated threat actor group Magnet Goblin is exploiting one-day security vulnerabilities to breach edge devices and public-facing services, deploying malware on compromised hosts. This group is known for quickly leveraging newly disclosed vulnerabilities, targeting servers and devices to increase the threat level.
Attacks by Magnet Goblin have targeted unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers for initial infection. The group has been active since at least January 2022 and deploys the Nerbian RAT and MiniNerbian after successful exploitation, allowing for remote access and command execution.
The Nerbian RAT and MiniNerbian malware strains enable the execution of arbitrary commands from a command-and-control server and exfiltration of results. Magnet Goblin also uses tools such as the WARPWIRE JavaScript credential stealer, Ligolo tunneling software, and remote desktop offerings like AnyDesk and ScreenConnect.
The group’s campaigns are financially motivated, and they have been quick to adopt one-day vulnerabilities to deliver their custom Linux malware. Magnet Goblin’s tools mostly reside on edge devices, targeting areas that have been left unprotected in the past.
Overall, Magnet Goblin’s activities highlight the trend of threat actors targeting vulnerable areas with advanced malware and exploiting newly disclosed vulnerabilities. The group’s swift adoption of exploits underscores the importance of timely patching and robust security measures to protect against such attacks.
Source link
