According to Check Point, a financially motivated threat actor exploits one-day vulnerabilities in public-facing services to deploy Linux backdoors.
The adversary, known as Magnet Goblin, quickly adopted one-day vulnerabilities, often in edge devices, and used the Nerbian custom malware family to carry out malicious activities. Magnet Goblin was observed exploiting publicly disclosed vulnerabilities in Ivanti VPNs (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893), Magento (CVE-2022-24086), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), and possibly Apache ActiveMQ.
As part of an attack exploiting the recent Ivanti flaws, the threat actor was seen using Warpwire, a JavaScript credential stealer, a Linux variant of the NerbianRAT backdoor, and the open-source tunneling tool Ligolo.
Read More: Magnet Goblin Delivers Linux Malware Using One-Day Vulnerabilities
Check Out The New ITsecuritywire Podcast. For more such updates follow us on Google News ITsecuritywire News.