While threat actors focused on Ivanti edge devices earlier this year, one of them moved faster than the others, deploying a one-day exploit the day after its public disclosure.
Of the five vulnerabilities that emerged in recent months, CVE-2024-21887 stood out. The command injection vulnerability in Ivanti Connect Secure and Policy Secure gateways was rated “critical” 9.1 out of 10 on the CVSS scale; it has since been proven a powerful launchpad for malicious developers.
“Magnet Goblin,” recently named a post on Check Point’s research blog, was one of the quickest to exploit that potential. Within a day of releasing a Proof-of-Concept (PoC) exploit, the group had malware capable of exploiting it.
“It’s pretty fast,” admits Sergey Shykevich, head of the threat intelligence group at Check Point. More precisely, “he demonstrated that they have some sort of ongoing process on how to do this – which is not the first time they have leveraged public-facing services.”
What to know about Magnet Goblin
The previously unnamed Magnet Goblin has been leveraging public-facing services for some time, including the Magento e-commerce platform, the Qlik Sense data analytics service, and Apache ActiveMQ.
If it compromises a vulnerability in a device running Windows, Magnet Goblin often deploys a remote monitoring and management (RMM) tool, such as ScreenConnect or ConnectWise’s AnyDesk.
These malware examples have a higher-than-average chance of going undetected, not so much because of their inherent sophistication, but because they are usually deployed against edge devices. That’s, Shykevich says, “because they’re focusing on Linux. More and more publications are focusing more on Windows; also, there are better defensive capabilities for Windows these days.”
What to do (since it’s too late to just patch)
It’s not just Magnet Goblin – other major threat actors have been too, such as the Raspberry Robin ransomware group unleashing one-day exploits at rates never seen before.
For this reason, Shykevich advises, “the main thing to do is apply patches as quickly as possible. Patch, patch, patch.” Although, he adds, “I hope that companies have already put in the patches. This recommendation is not really relevant, because if they haven’t already done so, statistically, someone has exploited them in the last two months”.
Beyond that, it encourages organizations to ensure their Linux servers and other Linux resources have endpoint protections.
“Until the last year and a half, many organizations have neglected Linux protection, because there are far fewer threat actors working with Linux in general, and less malware for it. But in general we’ve seen more and more threats focused on Linux by the bad guys, like the malware here and other ransomware. It’s a trend.” he concludes. “So I advise people to check that their Linux servers are no less protected than their Windows ones.”