Recent research has shown that Magnet Goblin, a financially motivated threat actor group, exploits one-day vulnerabilities as a preliminary infection vector. The group predominantly targets public-facing servers and deploys Nerbian malware, such as NerbianRAT and MiniNerbian. Previous activities carried out by the threat actor group were detailed by security vendors, although at that point, none had been linked to a specific actor. Yet, these reports still displayed an evident methodology, including the leveraging of one-day vulnerabilities. 

Security leaders weigh in 

Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd:

“1-day flaws tend not to get as much press because, frankly, the “scoop” moment has already passed. That said, since 2020 it has been an increasing trend for nation-state and financially motivated attackers to target 1-day and n-day vulnerabilities as a “wide-and-low” means of establishing opportunistic persistence.”

Darren Guccione, CEO and Co-Founder at Keeper Security:

“Speed is critical when it comes to protecting against 1-day vulnerabilities. As soon as a zero-day vulnerability has been made public, organizations and threat actors enter a race– with bad actors like Magnet Goblin seeking to exploit the vulnerability before organizations have the opportunity to patch it. Security teams must stay vigilant, regularly monitor for vulnerabilities and ensure that patches are applied in a timely manner to mitigate the risk of exploitation by malicious actors.

“Any delay in patching a known vulnerability significantly increases the risk of a successful cyber-attack. While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impact to systems, data and operations. In the event of a cyber incident, no matter how a threat actor accesses the network, the next step is to make sure they are unable to go any further. A Privileged Access Management (PAM) solution is imperative for IT administrators and security personnel to manage and secure privileged credentials, and ensure least privilege access.”

John Gallagher, Vice President of Viakoo Labs at Viakoo:

“It’s clear that Magnet Goblin is taking the easy route; using recently disclosed vulnerabilities to exploit poorly defended systems. With many edge and IoT devices and applications there is a lag time between when a vulnerability is disclosed and when a patch is available…and then another lag time between when the patch is released and when it is implemented.  

“Often the teams managing edge and IoT systems are outside of IT, and may have different priorities or sense of urgency when it comes to patching.  

“One can expect that one day threats will be a major security issue, as the speed of AI can accelerate these specific types of threats. Until the speed of delivery by threat actors is matched by speed of response by defenders this will be an ongoing security risk.”