A financially driven threat actor group known as Magnet Goblin is rapidly exploiting one-day vulnerabilities to compromise edge devices and publicly accessible services. Their swift adaptation of these vulnerabilities enables the deployment of malware on compromised hosts, elevating the potential risks for organizations targeted by their campaigns.
Check Point, a prominent cybersecurity firm, highlighted that Magnet Goblin’s operational strategy revolves around quickly leveraging newly disclosed security flaws, particularly those affecting public-facing servers and edge devices. They noted, “In some instances, the group has been able to initiate attacks within just one day of the proof-of-concept being released.” This rapid response not only underscores the threat posed but also reflects a sophisticated understanding of the security landscape.
Recent attacks attributed to this group have capitalized on unpatched servers, specifically targeting Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers. These vulnerabilities serve as an initial entry point for unauthorized access, suggesting a coordinated approach to identifying and exploiting weak spots in public infrastructure. Reports indicate that Magnet Goblin has been operating since at least January 2022.
Once these vulnerabilities are successfully exploited, the group deploys a cross-platform remote access trojan (RAT) known as Nerbian RAT, which was first identified by researchers at Proofpoint in May 2022. A simplified variant, called MiniNerbian, has also been associated with these attacks. The use of the Linux version of Nerbian RAT has previously been documented, indicating a level of versatility in the technologies they deploy.
Both variants of the RAT enable attackers to execute arbitrary commands issued from a command-and-control (C2) server and can exfiltrate data back to the attacker, demonstrating the significant risk they pose to affected businesses.
Additional tools employed by Magnet Goblin include the WARPWIRE JavaScript credential stealer and the Go-based tunneling software Ligolo, as well as legitimate remote desktop solutions like AnyDesk and ScreenConnect. These tools diversify their attack capabilities and enhance their stealth during operations.
As noted by cybersecurity experts, Magnet Goblin’s strategies are characterized by the utilization of these one-day vulnerabilities to deploy their custom Linux malware, including the Nerbian RAT and MiniNerbian. This approach illustrates a broader trend among cybercriminals to exploit previously overlooked areas, raising alarms about the security of edge devices that are frequently left unprotected.
In summary, the activities of Magnet Goblin reflect a concerning shift in cyber threat landscapes, particularly for organizations relying on public-facing servers and edge devices. The group’s employment of techniques outlined in the MITRE ATT&CK Matrix—including initial access via exploiting vulnerabilities, persistence through deployment of RATs, and potential privilege escalation—highlights the urgency for businesses to fortify their cybersecurity measures.
