Cybercrime crew Magnet Goblin bursts onto the scene exploiting Ivanti holes

There's yet another group of miscreants out there hijacking insecure Ivanti devices: A new, financially motivated gang dubbed Magnet Goblin has emerged from the shadowy digital depths with a knack for rapidly exploiting newly disclosed vulnerabilities before vendors have issued a fix.

The cybercrime crew has targeted US medical, manufacturing, and energy-sector organizations, according to Check Point, which said it spotted Magnet Goblin abusing security holes in Ivanti's code to break into networks back in January just one day after a proof-of-concept, or PoC, exploit was made public.

Specifically, the crooks appear to have hit vulnerable Ivanti Connect Secure VPN servers, compromising that equipment and using those footholds to deploy backdoors in victims' IT environments. Please make sure you're patched or have mitigations in place, and have checked for indications of compromise, if you're using Ivanti gear to secure your stuff.

"We were able to confirm less than 10 organizations in the US, but we assume the real number is much higher," Sergey Shykevich, threat intelligence manager at Check Point Research, told The Register, referring to Magnet Goblin's victims. 

"We think it is an opportunistic cybercrime group that we currently can't affiliate to a specific geographical location or a known group," Shykevich added. "This group was able to utilize the Ivanti exploit extremely quickly, just one day after a POC for it was published."

On Friday, Shykevich's team shared its research about Magnet Goblin. We're told the cyber-gang deployed remote-control and data-stealing malware after breaking into organizations via Ivanti holes, malware that was submitted to VirusTotal as early as January 2022 and also used in attacks against Adobe Magento 2 that same year.

This malicious software included MiniNerbian, a Linux backdoor used in those Magento 2 attacks, as well as a newer, novel Linux version of NerbianRAT, and a JavaScript credential stealer called WARPWIRE. The crew also uses legit remote monitoring and management tools such as ScreenConnect and AnyDesk once inside victims' IT environments, which makes their illicit activities a little more difficult to detect.

"Magnet Goblin distinguishes itself by its rapid adoption of newly disclosed vulnerabilities, notably targeting platforms such as Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ," according to the report. 

The criminals move quickly, according to the security shop, exploiting these so-called "one-day vulnerabilities" in edge devices and public facing services shortly after proof-of-concept exploits have been made public, but before the vendors have pushed patches to slam shut the security holes.

This strategy, "signifies a profound threat to digital infrastructures worldwide," the infosec outfit noted.

• Ivanti discloses fifth vulnerability, doesn't credit researchers who found it
• China's Volt Typhoon spies broke into emergency network of 'large' US city
• Ivanti devices hit by wave of exploits for latest security hole
• Microsoft confirms Russian spies stole source code, accessed internal systems

Check Point said it first spotted the criminal gang while it was tracking the Ivanti Connect Secure vulnerabilities. 

While the US government's Cybersecurity and Infrastructure Security Agency (CISA) along with private-sector security analysts at Mandiant and Volexity initially linked these attacks to Chinese government-sponsored crews, including Bejing-backed Volt Typhoon, all types of cybercriminals soon jumped into the fray. 

And despite the quick turnaround, from when the bugs were disclosed in the Ivanti devices to when Magnet Goblin began exploiting them, Shykevich said his threat intel team can't definitely connect this gang to a specific region or existing crime group.

Check Point did, however, link Magnet Goblin's infrastructure to the Qlink Sense exploits reported in late November and early December. 

After using the Qlink Sense bugs to gain initial access, security researchers at Arctic Wolf said at least some of the miscreants then infected victims with Cactus ransomware. ®