#MagnitudeEK is now stepping up its game by using CVE-2021-21224 and CVE-2021-31956 to exploit Chromium-based browsers. This is an interesting development since most exploit kits are currently targeting exclusively Internet Explorer, with Chromium staying out of their reach.
CVE-2021-21224, a type confusion in V8, is used to compromise a renderer process. CVE-2021-31956, a Windows EoP, is used to escape the Chromium sandbox. This is the same combination of vulnerabilities that was suspected to be chained in the #PuzzleMaker attack.
The attacks we have seen so far are targeting only Windows builds 18362, 18363, 19041, and 19042 (19H1–20H2). Build 19043 (21H1) is not targeted. The exploit for CVE-2021-31956 contains hardcoded syscall numbers relevant just for these builds.
There is no malicious payload attached to these exploits yet, the attack just exfiltrates the victim's Windows build number. Since this is the standard way for Magnitude to test new CVEs, we believe these exploits could soon be used to deploy the #Magniber ransomware.
IoCs:
binoon[.]info
onbin[.]info
binage[.]info
onbina[.]info
buycur[.]info
curbin[.]info
ostbin[.]info
rombin[.]info
pakbin[.]info
fakbin[.]info
46.105.113[.]12/count3.php
51.255.66[.]149/count3.php
binoon[.]info
onbin[.]info
binage[.]info
onbina[.]info
buycur[.]info
curbin[.]info
ostbin[.]info
rombin[.]info
pakbin[.]info
fakbin[.]info
46.105.113[.]12/count3.php
51.255.66[.]149/count3.php
• • •
Missing some Tweet in this thread? You can try to
force a refresh
