# Magniber ransomware gang now exploits Internet Explorer flaws in attacks **[bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/](https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) November 11, 2021 11:04 AM 0 ----- The Magniber ransomware gang is now using two Internet Explorer vulnerabilities and malicious advertisements to infect users and encrypt their devices. The two Internet Explorer vulnerabilities are tracked as CVE-2021-26411 and CVE-202140444, with both having a CVSS v3 severity score of 8.8. The first one, [CVE-2021-26411, was fixed in March 2021 and is a memory corruption flaw](http://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26411) triggered by viewing a specially crafted website. The second flaw, [CVE-2021-40444, is a remote code execution in IE’s rendering engine](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444) triggered by the opening of a malicious document. [Attackers exploited CVE-2021-40444 as a zero-day before Microsoft fixed it in September](https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-cve-2021-40444-mshtml-zero-day-bug/) 2021. ## Magniber shifting focus The Magniber gang is known for its use of vulnerabilities to breach systems and deploy their ransomware. [In August, Magniber was observed exploiting 'PrintNightmare' vulnerabilities to breach](https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-printnightmare-to-breach-windows-servers/) Windows servers, which took Microsoft a while to address due to their impact on printing. The most recent Magniber activity focuses on exploiting Internet Explorer vulnerabilities [using malvertising that pushes exploit kits, as confirmed by Tencent Security researchers](https://s.tencent.com/research/report/127) who identified "fresh" payloads. ----- One possible explanation for this shift is that Microsoft has largely fixed the PrintNightmare vulnerabilities over the past four months and was heavily covered by the media, pushing admins to deploy security updates. Another reason why Magniber may have turned to Internet Explorer flaws is that they are relatively easy to trigger, relying solely upon stimulating the recipient's curiosity to open a file or webpage. It may seem strange to target an old unpopular browser like Internet Explorer. However, [StatCounter shows that 1.15% of the global page views are still from IE.](https://gs.statcounter.com/browser-market-share/desktop/worldwide) While this is a low percentage, StatCounter tracks over 10 billion page views per month, which equates to 115,000,000 pages views by users of Internet Explorer. Furthermore, it is much harder to target Firefox and Chromium-based browsers, such as Google Chrome and Microsoft Edge, as they utilize an auto-update mechanism that quickly protects users from known vulnerabilities. ## Threat to Asian firms [Magniber started in 2017 as the successor to the Cerber ransomware, and initially, it only](https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/) infected users from South Korea. [The group then widened their targeting scope and began infecting Chinese (including](https://www.bleepingcomputer.com/news/security/magniber-ransomware-expands-from-south-korea-to-target-other-asian-countries/) Taiwan and Hong Kong), Singaporean, and Malaysian systems as well. ----- **Magniber ransom note** This scope has solidified, and today, Magniber is a nuisance almost exclusively for Asian companies and organizations. Since its launch, the Magniber ransomware has been under very active development, and its payload has been completely rewritten three times. At this time, it remains uncracked, so there's no decryptor to help you restore any files that have been encrypted with this strain. Finally, Magniber isn't following the trend of file-stealing and double-extortion, so the damage of their attacks is limited to file encryption. As such, taking regular backups on secured, isolated systems is a very effective way to deal with this particular threat. ### Related Articles: [Darknet market Versus shuts down after hacker leaks security flaw](https://www.bleepingcomputer.com/news/security/darknet-market-versus-shuts-down-after-hacker-leaks-security-flaw/) [The Week in Ransomware - May 20th 2022 - Another one bites the dust](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-20th-2022-another-one-bites-the-dust/) [Zyxel fixes firewall flaws that could lead to hacked networks](https://www.bleepingcomputer.com/news/security/zyxel-fixes-firewall-flaws-that-could-lead-to-hacked-networks/) ----- [Critical F5 BIG-IP vulnerability exploited to wipe devices](https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices/) [Exploits created for critical F5 BIG-IP flaw, install patch immediately](https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/) [CVE-2021-40444](https://www.bleepingcomputer.com/tag/cve-2021-40444/) [Exploit](https://www.bleepingcomputer.com/tag/exploit/) [Internet Explorer](https://www.bleepingcomputer.com/tag/internet-explorer/) [Magniber](https://www.bleepingcomputer.com/tag/magniber/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Vulnerability](https://www.bleepingcomputer.com/tag/vulnerability/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. [Previous Article](https://www.bleepingcomputer.com/news/legal/russian-king-of-fraud-sentenced-to-10-years-for-methbot-scheme/) [Next Article](https://www.bleepingcomputer.com/news/security/hackers-undetected-on-queensland-water-supplier-server-for-9-months/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----