'Magnet Goblin' Exploits Ivanti 1-Day Bug in Mere Hours

While threat actors converged on Ivanti edge devices earlier this year, one of them moved quicker than the rest, deploying a one-day exploit the day after its public disclosure.

Of the five vulnerabilities that came to light in recent months, CVE-2024-21887 stood out. The command injection vulnerability in Ivanti Connect Secure and Policy Secure gateways was rated a "critical" 9.1 out of 10 on the CVSS scale; it has since proven a powerful launchpad for malicious developers.

"Magnet Goblin," recently named in a Check Point research blog post, was one of the fastest to capitalize on that potential. Within a day after the release of a proof-of-concept (PoC) exploit, the group had malware in-hand capable of exploiting it.

"It's pretty quick," admits Sergey Shykevich, threat intelligence group manager at Check Point. More to the point, "It showed that they have some kind of an ongoing process for how to do it — that it's not the first time they're exploiting public-facing services."

What to Know About Magnet Goblin

For some time now, the previously unnamed Magnet Goblin has been exploiting one-days in public-facing services, including the e-commerce platform Magento, the data analytics service Qlik Sense, and Apache ActiveMQ.

If it compromises a vulnerability in a device running Windows, Magnet Goblin often deploys a remote monitoring and management (RMM) tool, such as ConnectWise's ScreenConnect or AnyDesk.

Its custom malware tools, however, work equally across Windows and Linux systems. They include Warpwire, a rudimentary Javascript VPN credential stealer, a relatively more advanced backdoor called NerbianRAT, and a scaled-down variant of NerbianRAT called MiniNerbian, used for command execution.

These malware examples have a better-than-average chance of flying under the radar, not so much because of their inherent sophistication but because they're usually deployed against edge devices. That, and, Shykevich says, "because they are focusing on Linux. More publications put more focus on Windows; also, there are currently better defensive capabilities for Windows."

What to Do (Since It's Too Late to Just Patch)

It isn't just Magnet Goblin — other major threat actors, like the Raspberry Robin ransomware group, have been whipping up one-day exploits at rates never before seen.

For that reason, Shykevich advises, "the main thing to do is patch as quickly as possible. Patch, patch, patch." Although, he adds, "I hope companies have already patched. This recommendation is really not relevant, because if they haven't already, statistically, someone has exploited them in these past two months."

Besides that, he encourages organizations to ensure their Linux servers and other Linux assets have endpoint protections.

"Up to the last year-and-a-half, many organizations kind of neglected protecting Linux, because there are much fewer threat actors who work with Linux, generally, and less malware for it. But we've generally seen more and more focus on Linux from the bad guys, like the malware here, and more ransomware. It's a trend." he concludes. "So I recommend people verify their Linux servers are protected no less than their Windows."