The Magniber ransomware group is now infecting people and encrypting their devices by exploiting two Internet Explorer flaws and malicious advertising.
CVE-2021-26411, as well as CVE-2021-40444, are the two Internet Explorer bugs, each with a CVSS v3 severity score of 8.8.
CVE-2021-26411, a memory corruption problem caused by accessing a carefully constructed website, was addressed in March 2021.
CVE-2021-40444 is a remote code execution weakness in Internet Explorer’s rendering engine that is caused by the opening of a corrupted document.
Attackers used CVE-2021-40444 as a zero-day vulnerability before Microsoft patched it in September 2021.
Magniber Switching Focus
The Magniber gang is well-known for exploiting vulnerabilities in order to infiltrate computers and disseminate ransomware.
Magniber was spotted in August leveraging ‘PrintNightmare’ flaws to compromise Windows servers, which Microsoft took some time to resolve owing to their consequences on printing.
According to Tencent security experts who discovered “new” payloads, the latest Magniber activity focused on attacking Internet Explorer vulnerabilities via malvertising which pushes exploit kits.
One probable explanation for such a move is that Microsoft has mostly addressed the ‘PrintNightmare’ flaws during the last four months and it has been prominently highlighted by the press, compelling administrators to apply security updates.
Another reason Magniber may have chosen Internet Explorer holes is that they are extremely simple to exploit, relying merely on piquing the recipient’s interest in opening a file or webpage.
It may appear odd to target an ancient, unpopular browser such as Internet Explorer. StatCounter, on the other hand, reveals that IE still accounts for 1.15 percent of worldwide page views.
While this is a small fraction, StatCounter records over 10 billion page views every month, which translates to 115,000,000 site traffic by Internet Explorer clients.
Threat To Asian Firms
Magniber first appeared in 2017 as the heir to the Cerber malware, and it first attacked primarily South Korean victims.
The hackers subsequently broadened their scope, attacking Chinese (including Taiwan and Hong Kong), Singaporean, as well as Malaysian systems as well.
Magniber’s scope has narrowed, and it now mostly affects Asian businesses and organizations.
Magniber ransomware has been actively developed since its initial release, and its payload has indeed been totally rebuilt three times.
At the moment, it is still uncracked, hence there is no decryptor to assist you in restoring any files encoded with this strain.
Finally, Magniber does not follow the pattern of file-stealing as well as double-extortion, thus their assaults are confined to file encryption.
As a result, doing frequent backups on safe, isolated systems is a really effective strategy to combat this specific danger.