Full Report
On 2024-03-08, a campaign was reported, involving Magnet Goblin, gaining initial access via 1-day vulnerability, targeting Ivanti Connect Secure VPN, Apache ActiveMQ, Magento, Qlink Sense with unknown impact. The following tools were observed: NerbianRAT, AnyDesk, WARPWIRE, MiniNerbian, ScreenConnect, Ligolo.
Analysis Summary
# Threat Actor: Magnet Goblin
## Attribution & Identity
Magnet Goblin (Confirmed actor identified in the reported campaign).
## Activity Summary
A campaign reported on 2024-03-08 focused on gaining initial access using 1-day vulnerabilities to compromise publicly facing servers.
## Tactics, Techniques & Procedures
- Gained initial access exploiting 1-day vulnerabilities.
- Observed techniques include post-exploitation and remote access using various tools.
- **MITRE ATT&CK IDs (Inferred based on tools):** T1190 (Exploit Public-Facing Application), T1219 (Remote Access Software), T1021 (Remote Services).
## Targeting
- Sectors: Not explicitly detailed, but implied due to the nature of targeted technologies (VPNs, Brokers, E-commerce).
- Geography: Unknown.
- Victims: Specific victims not detailed, but targets include organizations utilizing: Ivanti Connect Secure VPN, Apache ActiveMQ, Magento, and Qlink Sense.
## Tools & Infrastructure
- **Malware families used:** NerbianRAT, MiniNerbian.
- **Other observed tools:** AnyDesk, WARPWIRE, ScreenConnect, Ligolo.
- **Infrastructure:** Unknown (No URLs or IPs provided in the context).
## Implications
Magnet Goblin remains an active threat leveraging timely exploitation of recently disclosed, unpatched vulnerabilities (1-day exploits) to achieve initial access. The use of diverse remote access tools suggests potential pivots to data exfiltration, espionage, or ransomware deployment post-breach.
## Mitigations
- Apply patches immediately for 1-day vulnerabilities, prioritizing internet-facing assets like VPNs (Ivanti Connect Secure), message brokers (Apache ActiveMQ), and public applications.
- Restrict or monitor outbound connections from targeted technologies to known remote access tool Command and Control (C2) infrastructure, specifically scrutinizing traffic related to NerbianRAT, AnyDesk, ScreenConnect, and Ligolo.
- Implement strong network segmentation to limit lateral movement upon initial compromise.