Headline
Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
Hackers exploit unpatched Ivanti vulnerabilities to deploy malware on Linux systems. Magnet Goblin targets businesses using outdated software. Patch immediately and implement strong security measures to protect against these attacks.
Cybersecurity researchers at Check Point are warning of a malicious campaign targeting one-day vulnerabilities in Ivanti and other security software products, potentially impacting a wide range of organizations.
The culprit behind this campaign is a financially motivated hacker group known as Magnet Goblin. This group has been active since January 2022 and specializes in leveraging newly disclosed vulnerabilities, targeting public-facing servers and edge devices.
According to Check Point’s research, Magnet Goblin is using one-day security vulnerabilities to breach edge devices and public-facing services and deploy custom malware on Linux systems. For your information, after zero-day vulnerabilities are disclosed publicly and patches are released, they are referred to as one-day vulnerabilities.
The attackers exploit unpatched servers like Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ to deploy a cross-platform remote access trojan (RAT) called Nerbian RAT, first documented by Proofpoint in 2022. It also utilized Nerbian RAT’s simplified variant, MiniNerbian, which allows arbitrary command execution from a C2 server.
“NerbianRAT and MiniNerbian… these tools have operated under the radar as they mostly reside on edge devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected,” researchers noted.
NerbianRAT is downloaded from compromised systems with critical Ivanti Connect Secure flaws. While researching, CheckPoint discovered a 1-day vulnerability infection that led to the download of the NerbianRAT Linux variant.
The variant was used to execute various malicious activities on compromised systems, including modifying connection intervals, work time settings, and updating configuration variables.
Magnet Goblin leveraged CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 in Ivanti VPNs, CVE-2022-24086 in Magento, and CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 in Qlik Sense.
They used a JavaScript credential stealer called Warpwire and the open-source tunnelling tool Ligolo to exploit these vulnerabilities. Warpwire stealer is linked to mass Ivanti vulnerability exploitation and was used in a 2022 Magento server attack. In addition, they used remote monitoring tools ScreenConnect and AnyDesk, targeting Qlik Sense and Apache ActiveMQ.
It is worth noting that Ivanti issued a public advisory in January for CVE-2024-21887, a command injection vulnerability, urging users to patch their systems against wild exploitations. However, Check Point found that Magnet Goblin exploitations occurred within a day of patch issuance, targeting systems not yet patched with available fixed updates.
Compromised Magento servers used in Magnet Goblin campaigns (Screenshot: Checkpoint)
John Gallagher, Vice President of Viakoo Labs at Viakoo commented on the findings stating, “It’s clear that Magnet Goblin is taking the easy route; using recently disclosed vulnerabilities to exploit poorly defended systems. With many edge and IoT devices and applications there is a lag time between when a vulnerability is disclosed and when a patch is available…and then another lag time between when the patch is released and when it is implemented.”
“Often the teams managing edge and IoT systems are outside of IT and may have different priorities or sense of urgency when it comes to patching. One can expect that one-day threats will be a major security issue, as the speed of AI can accelerate these specific types of threats. Until the speed of delivery by threat actors is matched by the speed of response by defenders this will be an ongoing security risk.”
Organisations of all sizes relying on Ivanti software for endpoint management and security are at potential risk. This includes companies in various sectors that utilize Ivanti to safeguard their critical infrastructure.
Therefore, patching Ivanti software is necessary to prevent exploitation along with increased monitoring, and adopting a layered security approach, including implementing Endpoint Detection and Response (EDR) solutions to strengthen the overall security of the network and devices.
- New Linux Malware Alert: ‘Spinning YARN’ Hits Docker
- Linux Malware “Migo” Exploits Redis for Cryptojacking
- Bifrost RAT Targets Linux Devices, Mimics VMware Domain
- Crypto Stealing PyPI Malware Hits Both Windows and Linux Users
- Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer
Related news
An unknown adversary compromised a CISA app containing the data via a vulnerability in the Ivanti Connect Secure appliance this January.
The business intelligence servers contain vulnerabilities that Qlik patched last year, but which Cactus actors have been exploiting since November. Swathes of organizations have not yet been patched.
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
For their part, the U.S. did roll out new restrictions on the visas of any foreign individuals who misuse commercial spyware.
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE. "CHAINLINE is a Python web shell backdoor that is
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE. "CHAINLINE is a Python web shell backdoor that is
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool. The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool. The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it's being actively exploited in the wild. The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it's being actively exploited in the wild. The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178
A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. "This campaign marks the first documented instance [...] where threat actors deploying CACTUS ransomware have exploited vulnerabilities in Qlik Sense for initial access," Arctic Wolf
A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. "This campaign marks the first documented instance [...] where threat actors deploying CACTUS ransomware have exploited vulnerabilities in Qlik Sense for initial access," Arctic Wolf
A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. "This campaign marks the first documented instance [...] where threat actors deploying CACTUS ransomware have exploited vulnerabilities in Qlik Sense for initial access," Arctic Wolf
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. "The attacker seems to be
By Deeba Ahmed According to researchers, at least seven magecart groups are targeting Magento 2 websites in TrojanOrders attacks. This is a post from HackRead.com Read the original post: TrojanOrders Attack Hits Magento and Adobe Stores