Check Point has issued a warning about a malicious campaign that is exploiting one-day vulnerabilities in Ivanti and other security software products. This campaign has the potential to impact a broad spectrum of organizations.
The Perpetrators
The campaign is orchestrated by a hacker group known as Magnet Goblin. This financially motivated group has been active since January 2022 and is known for exploiting newly disclosed vulnerabilities. Their primary targets are public-facing servers and edge devices.
Check Point’s research reveals that Magnet Goblin is exploiting one-day security vulnerabilities to breach edge devices and public-facing services. They then deploy custom malware on Linux systems. One-day vulnerabilities are zero-day vulnerabilities that have been publicly disclosed and patched.
The group exploits unpatched servers such as Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ. They deploy a cross-platform remote access trojan (RAT) called Nerbian RAT, which was first documented by Proofpoint in 2022. They also use a simplified variant of Nerbian RAT, known as MiniNerbian, which allows arbitrary command execution from a C2 server.
Under the Radar
Researchers have noted that tools like NerbianRAT and MiniNerbian have largely gone unnoticed as they primarily reside on edge devices. This is part of a growing trend where threat actors target areas that have previously been left unprotected.
NerbianRAT is downloaded from compromised systems with critical Ivanti Connect Secure flaws. CheckPoint’s research led to the discovery of a 1-day vulnerability infection that resulted in the download of the NerbianRAT Linux variant. This variant was used to carry out various malicious activities on compromised systems, including modifying connection intervals, work time settings, and updating configuration variables.
Magnet Goblin exploited several vulnerabilities, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 in Ivanti VPNs, CVE-2022-24086 in Magento, and CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 in Qlik Sense.
The Tools
The group used a JavaScript credential stealer called Warpwire and the open-source tunneling tool Ligolo to exploit these vulnerabilities. Warpwire stealer is linked to mass Ivanti vulnerability exploitation and was used in a 2022 Magento server attack. They also used remote monitoring tools ScreenConnect and AnyDesk, targeting Qlik Sense and Apache ActiveMQ.
Ivanti issued a public advisory in January for CVE-2024-21887, a command injection vulnerability, urging users to patch their systems against wild exploitations. However, Check Point found that Magnet Goblin exploitations occurred within a day of patch issuance, targeting systems not yet patched with available fixed updates.
John Gallagher, Vice President of Viakoo Labs at Viakoo, shared his insights on the findings. He stated, “Magnet Goblin is taking the path of least resistance, exploiting recently disclosed vulnerabilities in poorly defended systems. There is often a delay between the disclosure of a vulnerability and the availability of a patch, followed by another delay before the patch is implemented.”
Gallagher further explained, “The teams managing edge and IoT systems are often separate from IT and may have different priorities or a different sense of urgency when it comes to patching. The speed of AI can accelerate these specific types of threats, making one-day threats a major security issue. This will continue to be a security risk until the speed of response by defenders matches the speed of delivery by threat actors.”
Organizations of all sizes that rely on Ivanti software for endpoint management and security are potentially at risk. This includes companies across various sectors that use Ivanti to protect their critical infrastructure.
The Solution
To prevent this flaw from being exploited, patching any Ivanti software should be a priority. In addition, organizations should increase monitoring and adopt a layered security approach. This includes implementing Endpoint Detection and Response (EDR) solutions to strengthen the overall security of the network and devices.