Meet Magnet Goblin: The Sneaky New Cyber Menace Targeting US Healthcare and Energy Sectors

Magnet Goblin, the cyber world’s latest mischief-maker, zips through 1-day vulnerabilities faster than you can say “patch it!” Hitting Windows and Linux with a malware menagerie, these digital pickpockets have a laugh targeting US healthcare and energy, all without a nation-state chaperone. Watch your bytes! #MagnetGoblinMalwareMischief

Hot Take:

Imagine being so eager to exploit vulnerabilities that you’re practically waiting with bated breath for patches to drop. Magnet Goblin, the cyber equivalent of ‘early birds catch the worm,’ only they’re not after worms—they’re after your data, and they’re not early; they’re right on time, with an alarm set for Patch Day. Now, if only they’d redirect that punctuality into something less nefarious, like baking cookies or knitting sweaters.

Key Points:

  • Magnet Goblin: a new hacking collective that’s faster than your IT department on a caffeine buzz, exploiting 1-day vulnerabilities.
  • They’ve got a malware menagerie featuring NerbianRAT, MiniNerbian, and WARPWIRE, because variety is the spice of cybercrime.
  • Target of choice: US healthcare, manufacturing, and energy sectors, because why go for low-hanging fruit when you can climb the tree?
  • Financially motivated, not state-sponsored—think of them as independent entrepreneurs of the dark web.
  • They’re as mysterious as they are quick, with no known address or affiliation—cyber ninjas, if you will.
Cve id: CVE-2023-41266
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 08/29/2023
Cve description: A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Cve id: CVE-2023-48365
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 11/15/2023
Cve description: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

Cve id: CVE-2024-21888
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Cve id: CVE-2023-41265
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 08/29/2023
Cve description: An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Cve id: CVE-2024-21893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Title: Adobe Commerce checkout improper input validation leads to remote code execution
Cve id: CVE-2022-24086
Cve state: PUBLISHED
Cve assigner short name: adobe
Cve date updated: 02/16/2022
Cve description: Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Need to know more?

Meet the New Cyber Menace

There's a new hacker in town, and they've got a name straight out of a comic book: Magnet Goblin. This group isn't playing games, though—they're here to exploit security flaws faster than you can say "update available." And with a penchant for 1-day vulnerabilities, they're making IT departments everywhere sweat more than a marathon runner in a sauna.

Malware, Malware Everywhere

But what's a hacker without their tools? Magnet Goblin comes equipped with an arsenal of malware, ready to infiltrate both Windows and Linux systems. There's NerbianRAT, which sounds like a pest you'd call an exterminator for, except this one's infecting your computer, not your basement. And for those who like their malware like their diets—light and minimal—there's MiniNerbian, the 'low-cal' version of its big brother.

No Country for Old Hackers

Forget about state-sponsored fun, Magnet Goblin is all about the Benjamins, or at least the digital equivalent. They're financially motivated, targeting the juicy sectors of healthcare, manufacturing, and energy. It's like choosing to rob banks over lemonade stands—higher risk, but definitely higher reward.

Counting Victims Like Sheep

Check Point's researchers have spotted fewer than ten victims in the wild, wild web. But let's be real, in the world of cybercrime, for every victim you see, there's probably a dozen more you don't. It's like when you spot one ant in your kitchen—there's an entire army you're not seeing.

Anonymous But Punctual

The group's origins are as clear as mud, with no ties to any location or existing cybercrime syndicate. They're the enigmatic strangers of the cyber world, but they've got one thing down: efficiency. They used an exploit for Ivanti faster than it takes most people to remember their passwords.

And there you have it, the latest episode of "Hackers Gone Wild." If you're into keeping your data safe (and who isn't?), you might want to sign up for those security newsletters, because it's a jungle out there, and Magnet Goblin is on the prowl. Stay safe, update regularly, and maybe don't click on that suspicious-looking email from a prince offering you a fortune. Just a thought.

Finally, a shoutout to Sead, the man who probably has more aliases than our hacker friends here, for bringing us the scoop on the digital underworld. Keep on typing, Sead, and we'll keep on reading.

Tags: 1-day vulnerabilities, financial cybercrime, Linux security, Magnet Goblin, Malware, NerbianRAT, Windows security