Internet Explorer is still causing trouble, even from the grave

Internet Explorer logo on laptop
(Image credit: Shutterstock / Monticello)

Despite the fact that the end of life date for Internet Explorer (opens in new tab) is fast approaching, the Magniber ransomware gang has begun exploiting two patched vulnerabilities in Microsoft's legacy browser (opens in new tab) to launch attacks on unsuspecting users.

According to a new report (opens in new tab) from Bleeping Computer, the group has begun exploiting Internet Explorer vulnerabilities using malvertising (opens in new tab) that push exploit kits to businesses operating in Asia. 

Magniber started in 2017 as the successor to another ransomware (opens in new tab) strain called Cerber and the group initially only targeted users in South Korea. In the time since though, the ransomware gang has expanded the scope of its operations to infect systems in China, Taiwan, Hong Kong, Singapore and Malyasia.

The Internet Explorer vulnerabilities being exploited in Magniber's latest round of cyberattacks are tracked as CVE-2021-26411 (opens in new tab) and CVE-2021-40444 (opens in new tab) and both vulnerabilities have a high CVSS score of 8.8. 

While the first vulnerability is a memory corruption flaw triggered by viewing a specially crafted website, it was patched by Microsoft back in March of this year. The second vulnerability enables remote code execution in Internet Explorer's rendering engine by opening a malicious document but it was also patched by the software giant back in September.

Shifting tactics

Magniber has long used vulnerabilities to breach systems and deploy its ransomware. Back in August, the group was observed exploiting PrintNightmare (opens in new tab) vulnerabilities to breach Windows servers and these flaws took Microsoft a bit more time to fix due to how they impacted users' ability to print documents.

A possible explanation for why Magniber has now shifted tactics to leverage vulnerabilities in Internet Explorer is because Microsoft has mostly fixed PrintNightmare vulnerabilities since they were heavily covered by the media which led admins to deploy the necessary patches and security updates. The Internet Explorer vulnerabilities now being used by the group are also easy to trigger as they only require a potential victim to open a file or webpage.

While most organizations and individuals have switched to using modern browsers like Google Chrome (opens in new tab) and Microsoft Edge (opens in new tab), 1.15 percent of page views worldwide still come from Internet Explorer according to StatCoutner (opens in new tab).

As the Magniber ransomware is still in active development and its payload has been completely rewritten three times, those concerned about falling victim to this latest round of attacks from the group should stop using Internet Explorer and switch to another browser that uses auto-updates ASAP.

Looking to further protect yourself online? Check out our roundups of the best endpoint protection software (opens in new tab)best malware removal software (opens in new tab) and best ransomware protection (opens in new tab)

Via Bleeping Computer (opens in new tab)

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.