'Magnet Goblin' Exploits Ivanti 1-Day Bug in Mere Hours

We Keep you Connected

'Magnet Goblin' Exploits Ivanti 1-Day Bug in Mere Hours

A prolific but previously hidden threat actor turns public vulnerabilities into working exploits before companies have time to patch.
March 12, 2024
While threat actors converged on Ivanti edge devices earlier this year, one of them moved quicker than the rest, deploying a one-day exploit the day after its public disclosure.
Of the five vulnerabilities that came to light in recent months, CVE-2024-21887 stood out. The command injection vulnerability in Ivanti Connect Secure and Policy Secure gateways was rated a "critical" 9.1 out of 10 on the CVSS scale; it has since proven a powerful launchpad for malicious developers.
"Magnet Goblin," recently named in a Check Point research blog post, was one of the fastest to capitalize on that potential. Within a day after the release of a proof-of-concept (PoC) exploit, the group had malware in-hand capable of exploiting it.
"It's pretty quick," admits Sergey Shykevich, threat intelligence group manager at Check Point. More to the point, "It showed that they have some kind of an ongoing process for how to do it — that it's not the first time they're exploiting public-facing services."
For some time now, the previously unnamed Magnet Goblin has been exploiting one-days in public-facing services, including the e-commerce platform Magento, the data analytics service Qlik Sense, and Apache ActiveMQ.
If it compromises a vulnerability in a device running Windows, Magnet Goblin often deploys a remote monitoring and management (RMM) tool, such as ConnectWise's ScreenConnect or AnyDesk.

These malware examples have a better-than-average chance of flying under the radar, not so much because of their inherent sophistication but because they're usually deployed against edge devices. That, and, Shykevich says, "because they are focusing on Linux. More publications put more focus on Windows; also, there are currently better defensive capabilities for Windows."

It isn't just Magnet Goblin — other major threat actors, like the Raspberry Robin ransomware group, have been whipping up one-day exploits at rates never before seen.
For that reason, Shykevich advises, "the main thing to do is patch as quickly as possible. Patch, patch, patch." Although, he adds, "I hope companies have already patched. This recommendation is really not relevant, because if they haven't already, statistically, someone has exploited them in these past two months."
Besides that, he encourages organizations to ensure their Linux servers and other Linux assets have endpoint protections.
"Up to the last year-and-a-half, many organizations kind of neglected protecting Linux, because there are much fewer threat actors who work with Linux, generally, and less malware for it. But we've generally seen more and more focus on Linux from the bad guys, like the malware here, and more ransomware. It's a trend." he concludes. "So I recommend people verify their Linux servers are protected no less than their Windows."
Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Privileged Access Management Checklist
CVE Weaponization Report
Collective defense is more important than ever–is your workforce ready?
Secure Access for Operational Technology at Scale
Stopping Active Adversaries: Lessons from the Cyber Frontline
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
Mandiant Threat Intelligence at Penn State Health
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.