Internet Explorer is Still Causing Problems

Despite the fact that the end-of-life date for Internet Explorer is fast approaching, the Magnibar ransomware gang has begun to exploit two patched vulnerabilities in Microsoft’s legacy browser to launch attacks on unsuspecting users.

According to a new report from Bleeping Computer, the group has begun to exploit Internet Explorer vulnerabilities by pushing exploit kits to businesses operating in Asia.

Magniber debuted in 2017 as a successor to another ransomware strain called Cerber, and the group initially only targeted users in South Korea. However, since that time, ransomware gangs have expanded the scope of their operations to infect systems in China, Taiwan, Hong Kong, Singapore, and Malaysia.

The Internet Explorer vulnerabilities being exploited by Magnibar’s latest round of cyberattacks are tracked as CVE-2021-26411 and CVE-2021-40444, and both vulnerabilities have a CVSS score of 8.8.

While the first vulnerability is a memory corruption flaw resulting from viewing a specially crafted website, it was patched by Microsoft back in March of this year. The second vulnerability enabled remote code execution in Internet Explorer’s rendering engine by opening a malicious document, but it was also patched by the software giant in September.

Transfer Strategy

Magnibar has long used vulnerabilities to breach systems and deploy its ransomware. Back in August, the group was seen taking advantage of PrintNightmare vulnerabilities to breach Windows servers and it took Microsoft a little longer to fix these flaws because of how they affected users’ ability to print documents.

One possible explanation for why Magnibar has now shifted strategy to take advantage of vulnerabilities in Internet Explorer is that Microsoft fixed most of the print Nightmare vulnerabilities because they were heavily covered by the media, whose reason has led the administrator to deploy the necessary patches and security updates. Internet Explorer vulnerabilities that are now being used by the group are also easy to trigger as they require only the potential victim to open the file or webpage.

While most organizations and individuals have switched to using modern browsers such as Google Chrome and Microsoft Edge, 1.15 percent of page views worldwide still come from Internet Explorer, according to StatCounter.

Since the Magnibar ransomware is still in active development and its payload has been completely rewritten three times, those concerned about falling victim to this latest round of attacks from the group have to stop using Internet Explorer. Should and switch to another browser that uses auto-update ASAP.