Despite the fact that the end of life date for Internet Explorer is fast approaching, the Magniber ransomware gang has begun exploiting two patched vulnerabilities in Microsoft’s legacy browser to launch attacks on unsuspecting users.
According to a new report from Bleeping Computer, the group has begun exploiting Internet Explorer vulnerabilities using malvertising that push exploit kits to businesses operating in Asia.
Magniber started in 2017 as the successor to another ransomware strain called Cerber and the group initially only targeted users in South Korea. In the time since though, the ransomware gang has expanded the scope of its operations to infect systems in China, Taiwan, Hong Kong, Singapore and Malyasia.
The Internet Explorer vulnerabilities being exploited in Magniber’s latest round of cyberattacks are tracked as CVE-2021-26411 and CVE-2021-40444 and both vulnerabilities have a high CVSS score of 8.8.
While the first vulnerability is a memory corruption flaw triggered by viewing a specially crafted website, it was patched by Microsoft back in March of this year. The second vulnerability enables remote code execution in Internet Explorer’s rendering engine by opening a malicious document but it was also patched by the software giant back in September.
Shifting tactics
Magniber has long used vulnerabilities to breach systems and deploy its ransomware. Back in August, the group was observed exploiting PrintNightmare vulnerabilities to breach Windows servers and these flaws took Microsoft a bit more time to fix due to how they impacted users’ ability to print documents.
A possible explanation for why Magniber has now shifted tactics to leverage vulnerabilities in Internet Explorer is because Microsoft has mostly fixed PrintNightmare vulnerabilities since they were heavily covered by the media which led admins to deploy the necessary patches and security updates. The Internet Explorer vulnerabilities now being used by the group are also easy to trigger as they only require a potential victim to open a file or webpage.
While most organizations and individuals have switched to using modern browsers like Google Chrome and Microsoft Edge, 1.15 percent of page views worldwide still come from Internet Explorer according to StatCoutner.
As the Magniber ransomware is still in active development and its payload has been completely rewritten three times, those concerned about falling victim to this latest round of attacks from the group should stop using Internet Explorer and switch to another browser that uses auto-updates ASAP.
Looking to further protect yourself online? Check out our roundups of the best endpoint protection software, best malware removal software and best ransomware protection