A financially motivated threat actor called Magnet Goblin is swiftly adopting one-day security vulnerabilities into its arsenal in order to opportunistically breach edge devices and public-facing services and deploy malware on compromised hosts.
一个名为 Magnet Goblin 的以经济为动机的威胁行为者正在迅速将一日安全漏洞纳入其武器库,以机会主义地入侵边缘设备和面向公众的服务,并在受损主机上部署恶意软件。
"Threat actor group Magnet Goblin's hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices," Check Point said.
"威胁行为者组 Magnet Goblin 的特点是能够迅速利用新披露的漏洞,特别是针对面向公众的服务器和边缘设备," Check Point 称。
"In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is published, significantly increasing the threat level posed by this actor."
"在某些情况下,利用漏洞的部署是在 [PoC] 发布后的1天内进行的,显著提高了该行为者所构成威胁的级别。"
Attacks mounted by the adversary have leveraged unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers as an initial infection vector to gain unauthorized access. The group is said to be active since at least January 2022.
攻击者利用未打补丁的 Ivanti Connect Secure VPN、Magento、Qlik Sense 和可能的 Apache ActiveMQ 服务器作为初始感染向量来获取未经授权访问。据称,该组织至少自 2022 年 1 月以来一直活跃。
A successful exploitation is followed by the deployment of a cross-platform remote access trojan (RAT) dubbed Nerbian RAT, which was first disclosed by Proofpoint in May 2022, as well as its simplified variant called MiniNerbian. The use of the Linux version of Nerbian RAT was previously highlighted by Darktrace.
成功利用后,会部署一个跨平台远程访问木马(RAT)称为 Nerbian RAT,该木马于 2022 年 5 月首次被 Proofpoint 披露,以及其简化版 MiniNerbian。Linux 版本的 Nerbian RAT 的使用先前已被 Darktrace 强调。
Both the strains allow for execution of arbitrary commands received from a command-and-control (C2) server and exfiltrating the results backed to it.
这两种恶意软件允许执行从命令和控制(C2)服务器接收的任意命令,并将结果传送回给它。
Some of the other tools used by Magnet Goblin include the WARPWIRE JavaScript credential stealer, the Go-based tunneling software known as Ligolo, and legitimate remote desktop offerings such as AnyDesk and ScreenConnect.
Magnet Goblin 使用的其他工具包括 JavaScript 凭证窃取器 WARPWIRE、基于 Go 的隧道软件 Ligolo,以及诸如 AnyDesk 和 ScreenConnect 等合法远程桌面工具。
"Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, Nerbian RAT and MiniNerbian," the company said.
"Magnet Goblin,其活动似乎是出于经济动机,迅速采用1日漏洞传递其定制的 Linux 恶意软件 Nerbian RAT 和 MiniNerbian," 该公司说。
"Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected."
"这些工具一直在边缘设备上运行,基本上不被察觉。这是威胁行为者针对迄今为止未受保护的领域进行定向攻击的持续趋势。
参考资料
[1]https://thehackernews.com/2024/03/magnet-goblin-hacker-group-leveraging-1.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):Magnet Goblin 黑客组织利用1天漏洞部署Nerbian RAT
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论