Magnet Goblin Exploits One-Day Vulnerabilities to Target Public-Facing Services

A financially motivated threat actor known as Magnet Goblin is rapidly incorporating one-day security vulnerabilities into its tactics to breach edge devices and public-facing services, deploying malware on compromised hosts. According to the report, Magnet Goblin stands out for its ability to quickly exploit newly disclosed vulnerabilities, often within 1 day after a proof-of-concept is published, significantly increasing the threat level posed by this group.

Attacks by Magnet Goblin have targeted unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and potentially Apache ActiveMQ servers as initial infection vectors to gain unauthorized access. The group has been active since at least January 2022.

After successfully exploiting these vulnerabilities, Magnet Goblin deploys a cross-platform remote access trojan (RAT) known as Nerbian RAT, first disclosed in May 2022, as well as its simplified variant, MiniNerbian. These RATs allow the threat actor to execute arbitrary commands received from a command-and-control (C2) server and exfiltrate the results back to it.

Additionally, Magnet Goblin utilizes tools like the WARPWIRE JavaScript credential stealer, the Go-based tunneling software Ligolo, and legitimate remote desktop offerings such as AnyDesk and ScreenConnect.

“Magnet Goblin’s campaigns, driven by financial motives, demonstrate a swift adoption of one-day vulnerabilities to deliver their custom Linux malware, Nerbian RAT, and MiniNerbian,” the researcher stated. “These tools operate discreetly on edge devices, reflecting a trend among threat actors to target previously unprotected areas.”

The emergence of threat actors like Magnet Goblin underscores the importance of promptly patching vulnerabilities and implementing robust cybersecurity measures to protect against evolving threats.

To prevent attacks by Magnet Goblin, ensure all software and systems are updated with the latest security patches. Implement robust cybersecurity measures, such as firewalls and intrusion detection systems, and regularly scan for vulnerabilities. Educate employees about phishing and other common attack vectors to enhance overall security posture.