Ransomware/Malware Activity

Magnet Goblin Hacker Group Exploits 1-Day Vulnerabilities

Magnet Goblin is a hacker group that appears to be financially motivated and has been in operation since at least January 2022. The group is known for swiftly leveraging newly disclosed vulnerabilities for initial access and for using the Nerbian custom malware family in their attacks. Magnet Goblin has most recently been observed exploiting vulnerabilities in Ivanti Connect Secure VPN and ConnectWise ScreenConnect. The group has also been known to leverage 1-day exploits in Apache ActiveMQ, Qlik Sense, and Magento. Magnet Goblin targets both Windows and Linux systems with two forms of the Nerbian remote access trojan (RAT) as well as a simplified variant dubbed MiniNerbian. The NerbianRAT backdoor collects system information, runs various commands, and communicates with its command-and-control (C2) server over raw sockets. Meanwhile, MiniNerbian uses HTTP for communication with its C2 server and is more limited in its capabilities. Other tools leveraged in Magnet Goblin campaigns include WARPWIRE – a JavaScript Credential stealer, Ligolo – a Go-based tunneling software, and legitimate remote desktop offerings such as ScreenConnect. Magnet Goblin's strategy of exploiting 1-day vulnerabilities is a reminder for all organizations to patch known vulnerabilities as soon as possible and decommission end of life software and hardware. CTIX analysts will continue to report on new strains of malware and trends in malware campaigns.

Threat Actor Activity

BlackCat/ALPHV Shuts Down in Likely Exit Scam After $22 Million Change Healthcare Attack

Last week, the head members of the BlackCat/ALPHV ransomware gang pulled off what is now looking like an apparent exit scam. The gang announced that they were shutting down their operation because of "the feds" and that they were in the process of finalizing negotiations to sell their source code. Additionally, the ransomware gang replaced their website with a fake law enforcement seizure notice. Some of the law enforcement agencies listed on the fake banner have already denied any involvement in recent BlackCat disruptions. BlackCat was widely successful in 2023 but eventually became the victim of a joint law enforcement operation that led to the takedown of their infrastructure in December. The gang has been struggling to stay afloat since then, trying hard to instill confidence in their criminal affiliates and successfully restore their operation after the takedown. Efforts seemed to have dwindled, however, with the gang's leaders likely looking to make an exit which would be well timed following the attack on Change Healthcare last month. A few days after closing down operations, a claim emerged from one (1) of the affiliates complaining that their account had been shut off by the ALPHV leaders right after receiving the $22 million alleged ransom payout they had made from the Change Healthcare attack. Despite an elaborate plan to blame the shutdown on law enforcement while running off with the profits of one last big attack, it doesn't seem like anyone was quite believing them. A spokesperson for the group eventually came out saying there is "no point in making excuses" followed by one of the forum's administrators in charge of arbitrating disputes writing "this is an exit scam." This likely won't be the end for the group, however, who has disappeared and rebranded countless times. The threat actors first started out as DarkSide back in August 2020 before being shut down after their attack on Colonial Pipeline, and then rebranded as BlackMatter before being shut down again by law enforcement and eventually becoming BlackCat/ALPHV.

Vulnerabilities

Critical Fortinet Vulnerability Leaves 150,000 Devices Vulnerable to Exploitation

Recent scans have indicated that approximately 150,000 devices running Fortinet's FortiOS and FortiProxy are at risk due to a critical vulnerability that allows for remote code execution (RCE) without authentication. Fortinet's FortiOS powers a wide range of security devices within the Fortinet Security Fabric, offering features like DoS attack protection, IPS, firewall, and VPN services, while FortiProxy provides secure web proxy capabilities with additional protections against various cyber threats. The flaw, tracked as CVE-2024-21762, is an out-of-bounds write bug in FortiOS and FortiProxy. The vulnerability, with a high CVSS score of 9.8/10, can be exploited remotely via maliciously crafted HTTP requests. While exact details on the threat actors and their operations remain scarce, the situation underscores the need for administrators to either apply mitigations or upgrade affected systems promptly. This vulnerability has been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, as it has been actively exploited by attackers. Despite Fortinet's efforts to patch the issue, The Shadowserver Foundation's findings indicate a substantial number of devices remain vulnerable, particularly in the United States, India, Brazil, and Canada. CTIX analysts recommend that all administrators responsible for the vulnerable devices ensure that their Fortinet infrastructure is up-to-date, and capable of defending against exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.