Threat Signal Report

Magniber Ransomware Gang Moved on to Internet Explorer Vulnerabilities from PrintNightmare

description-logo Description

FortiGuard Labs is aware of a report that the Magniber ransomware gang is now exploiting a couple of Internet Explorer vulnerabilities in order to deliver ransomware. The Internet Explorer vulnerabilities that were exploited are CVE-2021-40444 and CVE-2021-26411.


Why is this Significant?

This is significant because the Magniber gang now exploits different vulnerabilities from PrintNightmare they previously utilized. In addition to confirming another attack method for Magniber, this could also be a potential indicator that the patches for CVE-2021-40444 and CVE-2021-26411 have not been applied are applied to the same extent as they have been for PrintNightmare.


What are the New Vulnerabilities Exploited by Magniber Gang?

The Magniber gang now exploits CVE-2021-26411 and CVE-2021-40444.

  • CVE-2021-26411 is a memory corruption vulnerability in Internet Explorer and Microsoft Edge that was allegedly exploited as a zero-day by Lazarus (aka Zinc) group.
  • CVE-2021-40444 is a remote code execution vulnerability in Microsoft MSHTML affecting multiple Microsoft Windows platforms and was also exploited as a zero-day.


What is PrintNightmare?

PrintNightmare refers to CVE-2021-34527, which is a critical vulnerability in the Windows Print Spooler service. Successfully exploiting the vulnerability allows the attacker to execute arbitrary code with SYSTEM privileges.


FortiGuard Labs previously released a Threat Signal on PrintNightmare. See the Appendix for a link to "#PrintNightmare Zero Day Remote Code Execution Vulnerability".


Has the Vendor Released Patches for CVE-2021-26411 and CVE-2021-40444?

Yes. Microsoft released a patch for CVE-2021-26411 in March 2021. Patch for CVE-2021-40444 was released by Microsoft in September 2021.


What is Magniber?

Magniber ransomware is a malware that encrypts files on the compromised system and demands the victim to pay ransom in order to recover the encrypted files.


FortiGuard Labs previously posted a Threat Signal on Magniber ransomware. See the Appendix for a link to "Magniber Ransomware Delivered to South Korean Victims Through PrintNightmare Vulnerability".


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against recent variants of Magniber ransomware:

W64/Kryptik.FU!tr

W32/Injector.FU!tr


The following AV coverage is also available for known Magniber ransomware:

W32/Magniber.A!tr

W32/Filecoder_Magniber.A!tr

W32/Filecoder_Magniber.B!tr

W32/Filecoder.MAGNIBER!tr

W32/Filecoder_Magniber.E!tr

W32/Filecoder_Magniber.C!tr

W32/Magniber.E!tr.ransom

W32/Filecoder_Magniber.F!tr.ransom

W32/Magniber.DA5D!tr.ransom


Internet Explorer vulnerabilities (CVE-2021-40444 and CVE-2021-26411) exploited by the Magniber gang are detected by the following IPS coverage:

MS.Office.MSHTML.Remote.Code.Execution

MS.IE.CVE-2021-26411.Memory.Corruption


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.