Magnet Goblin Strikes: How Swift Hackers Exploit 1-Day Vulnerabilities to Unleash Malware Mayhem

In a digital game of cat and mouse, Magnet Goblin hackers pounce on 1-day vulnerabilities like a carb-deprived dieter on a cupcake—deploying custom malware with the finesse of a ninja in both Windows and Linux systems. Patch up or risk a cyber nibble!

Hot Take:

Looks like the cyber baddies at Magnet Goblin have been gobbling up 1-day vulnerabilities like they’re going out of style. They’re dropping their custom malware on servers faster than you can say “Patch Tuesday.” Who needs fancy 0-days when you’ve got speedy Goblin fingers and a knack for reverse-engineering patches? Let’s dive into the nerdy nitty-gritty of this digital gold rush!

Key Points:

  • Magnet Goblin is exploiting 1-day vulnerabilities like they’re collecting Pokémon cards.
  • They’ve got a taste for public-facing servers and a sweet tooth for Windows and Linux systems.
  • Their malware toy box includes NerbianRAT, MiniNerbian, and a WARPWIRE JavaScript stealer variant.
  • Check Point’s cyber Sherlocks discovered the group is quick on the draw, exploiting flaws almost as soon as a PoC is out.
  • Patching faster than a speeding bullet is essential to dodge the Magnet Goblin’s cyber spells.
Cve id: CVE-2024-21888
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Cve id: CVE-2023-48365
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 11/15/2023
Cve description: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Cve id: CVE-2023-41266
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 08/29/2023
Cve description: A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Cve id: CVE-2024-21893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Title: Adobe Commerce checkout improper input validation leads to remote code execution
Cve id: CVE-2022-24086
Cve state: PUBLISHED
Cve assigner short name: adobe
Cve date updated: 02/16/2022
Cve description: Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

Cve id: CVE-2023-41265
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 08/29/2023
Cve description: An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Need to know more?

Goblin's Crafty Toolkit

It's like a cyber heist movie, and Magnet Goblin's playing the master thief with a toolkit that would make Danny Ocean jealous. They're slipping through the digital cracks using 1-day vulnerabilities, which are like open windows in a secured mansion. And just like any respectable thief, they leave their signature—a mix of custom malware that's as unique as a calling card left at the scene of the crime.

The Nerbian Chronicles

Our villainous troupe didn't stop at Windows; they've extended their reach into the Linux realm with a new and "improved" NerbianRAT. It's like they took the Windows version, put it through a Linux boot camp, and voilà—malware that's ready to do push-ups on both platforms. Not the most polished code, but hey, it gets the job done, collecting info and chatting with its C2 server like they're old pals on a secure line.

MiniNerbian: The Pocket-Sized Menace

But wait, there's more! Introducing MiniNerbian, the NerbianRAT's little sibling. It's the lite version for the malware enthusiast on the go. It does a little less, but it's perfect for quick command executions and staying under the radar. Think of it as the Swiss Army knife in Magnet Goblin's cyber toolbelt. Simple, effective, and it probably fits in your virtual pocket.

Hide and Seek: Magnet Goblin Edition

Check Point's analysts are playing a high-stakes game of Whac-A-Mole, trying to spot these sneaky Magnet Goblin moves. The problem is, the Goblins are good at this game, hiding their shenanigans among the chaos that erupts when vulnerabilities are disclosed. It's like trying to find a needle in a haystack if the haystack was also on fire and the needle was laughing at you.

The Race Against the Patch

What's the moral of the story? Patch your systems faster than you can swipe left on a bad Tinder profile. Speed is the name of the game, and in this digital race, the slow and the unsecured are bound to get a visit from our favorite Goblin friends. Throw in some cyber hygiene practices like network segmentation, endpoint protection, and multi-factor authentication, and you'll give these Goblins a run for their money.

Tags: 1-day vulnerabilities, custom malware, exploit techniques, Linux security, Magnet Goblin, Malware Analysis, threat actors