CVE-2021-26411
published 2021-03-11CVE-2021-26411: Internet Explorer Memory Corruption Vulnerability Internet Explorer Memory Corruption Vulnerability
high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
81.10%
99.6th percentile
Internet Explorer Memory Corruption Vulnerability
Internet Explorer Memory Corruption Vulnerability
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer_11 | >= 1.0.0 < publication | publication |
| microsoft | internet_explorer_9 | >= 1.0.0 < publication | publication |
| microsoft | microsoft_edge | >= 1.0..0 < publication | publication |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
cvelistv58.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
CVEList
Internet Explorer Memory Corruption Vulnerability
cvelistv5·2021-03-11·CVSS 8.8
CVE-2021-26411 [HIGH] Internet Explorer Memory Corruption Vulnerability
Internet Explorer Memory Corruption Vulnerability
Internet Explorer Memory Corruption Vulnerability
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2021·CVSS 7.8
CVE-2021-1732 [HIGH] CWE-787 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2021-Feb; https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/; https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/; https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/; https://www.trendmicro.com
VulnCheck
Microsoft Internet Explorer Memory Corruption Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-26411 [HIGH] CWE-416 Microsoft Internet Explorer Memory Corruption Vulnerability
Microsoft Internet Explorer Memory Corruption Vulnerability
Microsoft Internet Explorer contains an unspecified vulnerability that allows for memory corruption.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2021-Mar; https://arstechnica.com/gadgets/2021/03/microsoft-patches-critical-0day-that-north-korea-used-to-target-researchers/; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/; https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/; https://cybersecurityworks.com/h
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2020·CVSS 7.8
CVE-2020-1054 [HIGH] CWE-787 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k contains a privilege escalation vulnerability when the Windows kernel-mode driver fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kernel mode.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.sentinelone.com/labs/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/; https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/; https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://decoded.avast.io/janvojt
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-0808 [HIGH] Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k contains a privilege escalation vulnerability due to the component failing to properly handle objects in memory. Successful exploitation allows an attacker to run code in kernel mode.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2019-Mar; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_April_edition_1_digest_pdf.pdf; https://www.sentinelone.com/labs/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/; https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-1458 [HIGH] Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2019-Dec; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/; https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/; https://www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-it
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2018·CVSS 7.0
CVE-2018-8120 [HIGH] CWE-404 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2018-May; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rapidly-evolving-ransomware-gandcrab-version-5-partners-with-crypter-service-for-obfuscation/; https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/; https://web.archive.org/web/20220227045141/https://risksense.com/wp-content/uploads/201
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-1701 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
An unspecified vulnerability exists in the Win32k.sys kernel-mode driver in Microsoft Windows Server that allows a local attacker to execute arbitrary code with elevated privileges.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html; https://www.cve.org/CVERecord?id=CVE-2015-1701; https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html; https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html; https://www2.fireeye.com/rs/848-DID-242/
Project0
Project Zero RCA: CVE-2021-26411: Internet Explorer MSHTML Double-Free
project_zero·CVSS 8.8
CVE-2021-26411 [HIGH] Project Zero RCA: CVE-2021-26411: Internet Explorer MSHTML Double-Free
# CVE-2021-26411: Internet Explorer MSHTML Double-Free
*Maddie Stone*
## The Basics
**Disclosure or Patch Date:** 9 March 2021
**Product:** Microsoft Internet Explorer
**Advisory:** https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26411
**Affected Versions:** [KB4601319](https://support.microsoft.com/en-us/topic/february-9-2021-kb4601319-os-builds-19041-804-and-19042-804-87fc8417-4a81-0ebb-5baa-40cfab2fbfde) and previous
**First Patched Version:** [KB5000802](https://support.microsoft.com/en-us/topic/march-9-2021-kb5000802-os-builds-19041-867-and-19042-867-63552d64-fe44-4132-8813-ef56d3626e14)
**Issue/Bug Report:** N/A
**Patch CL:** N/A
**Bug-Introducing CL:** N/A
**Reporter(s):** yangkang(@dnpushme) & huangyi(@C0rk1_H) & Enki
## The Code
**Proof-of-concept:**
``
CISA
Microsoft Internet Explorer Memory Corruption Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2021-26411 [HIGH] CWE-416 Microsoft Internet Explorer Memory Corruption Vulnerability
Vulnerability: Microsoft Internet Explorer Memory Corruption Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains an unspecified vulnerability that allows for memory corruption.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-26411
Remediation Due Date: 2021-11-17
Microsoft
Internet Explorer Memory Corruption Vulnerability
vendor_msrc·2021-03-09·CVSS 8.8
CVE-2021-26411 [HIGH] Internet Explorer Memory Corruption Vulnerability
Internet Explorer Memory Corruption Vulnerability
FAQ: How could an attacker exploit the vulnerability?
An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.
Internet Explorer: Int
No detection rules found.
No public exploits indexed.
Securelist
Updated MATA attacks industrial companies in Eastern Europe
blogs_securelist·2023-10-18·CVSS 8.8
[HIGH] Updated MATA attacks industrial companies in Eastern Europe
Table of Contents
The infection chain
Incident investigation
Interesting findings
Authors
GReAT
Kaspersky ICS CERT
In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry.
The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious documents v
Bleepingcomputer
MATA malware framework exploits EDR in attacks on defense firms
blogs_bleepingcomputer·2023-10-18·CVSS 8.8
CVE-2021-26411 [HIGH] MATA malware framework exploits EDR in attacks on defense firms
## MATA malware framework exploits EDR in attacks on defense firms
## Bill Toulas
An updated version of the MATA backdoor framework was spotted in attacks between August 2022 and May 2023, targeting oil and gas firms and the defense industry in Eastern Europe.
The attacks employed spear-phishing emails to trick targets into downloading malicious executables that exploit CVE-2021-26411 in Internet Explorer to initiate the infection chain.
The updated MATA framework combines a loader, a main trojan, and an infostealer to backdoor and gain persistence in targeted networks.
The MATA version in these attacks is similar to previous versions linked to the North Korean Lazarus hacking group but with updated capabilities.
Notably, spreading malware across all reachable corners of the corporat
Securelist
Updated MATA attacks industrial companies in Eastern Europe
blogs_securelist·2023-10-18·CVSS 8.8
[HIGH] Updated MATA attacks industrial companies in Eastern Europe
Table of Contents
- The infection chain
- Incident investigation
- Interesting findings
Authors
- GReAT
- Kaspersky ICS CERT
In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry.
The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious doc
Trendmicro
Magniber unter der Lupe
blogs_trendmicro·2023-02-02·CVSS 7.5
[HIGH] Magniber unter der Lupe
Ransomware
## Magniber unter der Lupe
Magniber-Ransomware nutzt verschiedene Schwachstellen aus, aber obwohl sie im Vergleich zu den neueren Ransomware-Kampagnen mit doppelter Erpressung eine einfachere Kill Chain verwendet, ist sie nicht weniger effektiv. Die Analyse zeigt, was zu tun ist.
By: Trend Micro Feb 02, 2023 Read time: ( words)
Save to Folio
Die Ransomware wurde bereits vor sechs Jahren entdeckt, dennoch verwenden Angreifer die Malware immer noch. Im Oktober 2022 gab es Berichte über Phishing-Attacken, über die Magniber-Ransomware verteilt wurde. Sie nutzten Standalone JavaScript-Dateien, die mit einem manipulierten Schlüssel digital signiert waren, und missbrauchten die Zero Day-Lücke CVE-2022-44698 , um Mark-of-the-Web (MOTW)-Sicherheitswarnungen zu umgehen. So konnten bö
Checkpoint
2nd May – Threat Intelligence Report
blogs_checkpoint·2022-05-02·CVSS 9.8
CVE-2022-22954 [CRITICAL] 2nd May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd May, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
North Korean government connected group initiated in March 2022 a spear-phishing campaign against journalists who specialize in the North Korea coverage. The group used Goldbackdoor malware that is linked to malware families that are attributed to APT37.
Threat actor affiliated with a Chinese government targeted Russian officials
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Checkpoint
15th November – Threat Intelligence Report
blogs_checkpoint·2021-11-15
CVE-2021-42237 15th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th November, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research notes a 178% increase in the number of malicious shopping websites, compared to the rest of the year, spotting over 5300 different malicious websites per week ahead of the end of this year’s e-shopping season.
Check Point Research has analyzed the operations of threat actor MosesStaff following its
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Volexity
North Korean APT InkySquid Infects Victims Using Browser Exploits
blogs_volexity·2021-08-17·CVSS 7.8
[HIGH] North Korean APT InkySquid Infects Victims Using Browser Exploits
Threat Intelligence
## North Korean APT InkySquid Infects Victims Using Browser Exploits
August 17, 2021
Damien Cash, Josh Grunzweig, Matthew Meltzer, Steven Adair, and Tom Lancaster
Volexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea. Malicious code on the Daily NK website was observed from at least late March 2021 until early June 2021.
This post provides details on the different exploits used in the SWC, as well as the payload used, which Volexity calls BLUELIGHT . Volexity attributes the activity described in this post to a threat actor Volexity refers to as InkySquid , which broadly corresponds to activity known publicly under the monikers
Volexity
North Korean APT InkySquid Infects Victims Using Browser Exploits
blogs_volexity·2021-08-17·CVSS 7.8
[HIGH] North Korean APT InkySquid Infects Victims Using Browser Exploits
Threat Intelligence
# North Korean APT InkySquid Infects Victims Using Browser Exploits
August 17, 2021
Damien Cash, Josh Grunzweig, Matthew Meltzer, Steven Adair, and Tom Lancaster
Volexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea. Malicious code on the Daily NK website was observed from at least late March 2021 until early June 2021.
This post provides details on the different exploits used in the SWC, as well as the payload used, which Volexity calls BLUELIGHT. Volexity attributes the activity described in this post to a threat actor Volexity refers to as InkySquid, which broadly corresponds to activity known publicly under the monikers Sc
Trendmicro
Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
blogs_trendmicro·2021-08-09·CVSS 7.8
[HIGH] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
Cyber Threats
## Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan.
By: Joseph C Chen Aug 09, 2021 Read time: ( words)
Save to Folio
In a previous blog entry , we reported on a campaign, which we labelled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet Explorer exploits CVE-2020-1380 and CVE-2021-26411 and was used for ma
Trendmicro
Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
blogs_trendmicro·2021-08-09·CVSS 7.8
[HIGH] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
Cyber Threats
## Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan.
By: Joseph C Chen Aug 09, 2021 Read time: ( words)
Save to Folio
In a previous blog entry , we reported on a campaign, which we labeled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet Explorer exploits CVE-2020-1380 and CVE-2021-26411 and was used for mal
Trendmicro
Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
blogs_trendmicro·2021-08-09·CVSS 7.8
[HIGH] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
Minacce cyber
## Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan.
By: Joseph C Chen Aug 09, 2021 Read time: ( words)
Save to Folio
In a previous blog entry , we reported on a campaign, which we labeled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet Explorer exploits CVE-2020-1380 and CVE-2021-26411 and was used for mal
Trendmicro
Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
blogs_trendmicro·2021-08-09·CVSS 7.8
[HIGH] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
Cyberbedrohungen
## Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan.
By: Joseph C Chen Aug 09, 2021 Read time: ( words)
Save to Folio
In a previous blog entry , we reported on a campaign, which we labeled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet Explorer exploits CVE-2020-1380 and CVE-2021-26411 and was used for
Trendmicro
Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
blogs_trendmicro·2021-08-09·CVSS 7.8
[HIGH] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
Cyber Threats
# Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan.
By: Joseph C Chen
2021/08/09
Read time: ( words)
Save to Folio
In a previous blog entry, we reported on a campaign, which we labeled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet Explorer exploits CVE-2020-1380 and CVE-2021-26411 and was used for malver
Trendmicro
Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
blogs_trendmicro·2021-08-09·CVSS 7.8
[HIGH] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
Ciberamenazas
## Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan.
By: Joseph C Chen Aug 09, 2021 Read time: ( words)
Save to Folio
In a previous blog entry , we reported on a campaign, which we labeled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet Explorer exploits CVE-2020-1380 and CVE-2021-26411 and was used for mal
Trendmicro
Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
blogs_trendmicro·2021-08-09·CVSS 7.8
[HIGH] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
Cyber Threats
## Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
We found a new social engineering-based malvertising campaign targeting Japan that delivered a malicious application. The malicious application abused sideloading vulnerabilities to load and start the Cinobi banking trojan.
By: Joseph C Chen 2021/08/09 Read time: ( words)
Save to Folio
In a previous blog entry , we reported on a campaign, which we labeled “Operation Overtrap,” that targeted Japan with a new banking trojan called Cinobi. The campaign, which was perpetrated by a group we named “Water Kappa,” delivered Cinobi via spam. It also delivered the trojan using the Bottle exploit kit, which included newer Internet Explorer exploits CVE-2020-1380 and CVE-2021-26411 and was used for malve
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2021:
- Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.
- 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.
- Ransomware att
Checkpoint
15th March – Threat Intelligence Report
blogs_checkpoint·2021-03-15
CVE-2021-21056 15th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Security footage and live feed data of some 150,000 surveillance cameras has been accessed by a hacker collective. The data was managed by Verkada, a Silicon Valley startup. Breached cameras were located in hospitals, schools, state departments and companies including Tesla and Cloudflare.
New spam campaign that delivers the
Krebs
Microsoft Patch Tuesday, March 2021 Edition
blogs_krebs·2021-03-10·CVSS 8.8
[HIGH] Microsoft Patch Tuesday, March 2021 Edition
On the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or miscreants with little or no help from users.
Top of the heap this month (apart from the ongoing, global Exchange Server mass-compromise) is a patch for an Internet Explorer bug that is seeing active exploitation. The IE weakness — CVE-2021-26411 — affects both IE11 and newer EdgeHTML-based versions, and it allows attackers to run a file of their choice by getting you to view a hacked or malicious website in IE.
The IE flaw is tied to a vulnerability that was publicly disclosed in early February by res
Krebs
Microsoft Patch Tuesday, March 2021 Edition
blogs_krebs·2021-03-10·CVSS 8.8
[HIGH] Microsoft Patch Tuesday, March 2021 Edition
On the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or miscreants with little or no help from users.
Top of the heap this month (apart from the ongoing, global Exchange Server mass-compromise ) is a patch for an Internet Explorer bug that is seeing active exploitation. The IE weakness — CVE-2021-26411 — affects both IE11 and newer EdgeHTML-based versions, and it allows attackers to run a file of their choice by getting you to view a hacked or malicious website in IE.
The IE flaw is tied to a vulnerability that was publicly disclosed in early February by re
Trendmicro
March Patch Tuesday: Fixes for Exchange Server, IE
blogs_trendmicro·2021-03-10·CVSS 9.1
[CRITICAL] March Patch Tuesday: Fixes for Exchange Server, IE
# March Patch Tuesday: Fixes for Exchange Server, IE
This month’s Patch Tuesday includes fixes already released for the Microsoft Exchange Server zero-day flaws attributed to Hafnium attacks.
By: Trend Micro
2021/03/10
Read time: ( words)
Save to Folio
This month’s Patch Tuesday features close to a hundred fixes, almost doubling last month’s total. The list includes patches already released for the Microsoft Exchange Server zero-day flaws attributed to Hafnium attacks.
Out of 89 patches released, 14 were rated Critical while the rest were deemed Important. Most of the critical vulnerabilities involve remote code execution (RCE) link except for an information disclosure bug. Fifteen of these were reported by the Zero Day Initiative (ZDI).
Microsoft Exchange Server Vulnerabilities
Th
Qualys
March 2021 Patch Tuesday – 82 Vulnerabilities, 10 Critical, Adobe | Qualys
blogs_qualys·2021-03-09·CVSS 7.8
CVE-2021-26411 [HIGH] March 2021 Patch Tuesday – 82 Vulnerabilities, 10 Critical, Adobe | Qualys
This month’s Microsoft Patch Tuesday addresses 82 vulnerabilities, of which 10 are rated with Critical severity. This follows an out-of-band security update on March 2 to address critical vulnerabilities in Microsoft Exchange. Adobe released patches today for its FrameMaker, Creative Cloud Desktop, and Adobe Connect products.
### Internet Explorer Memory Corruption Vulnerability
Microsoft released patches addressing another 0-day vulnerability (CVE-2021-26411). This is a memory corruption vulnerability in Internet Explorer. This CVE already has a working exploit and is assigned a CVSSv3 base score of 8.8 by the vendor.
### Windows Hyper-V Remote Code Execution (RCE) Vulnerability
Microsoft released patches to fix a RCE vulnerability in Windows Hyper-V (CVE-2021-26867). This vulnerabili
Tenable
Microsoft’s March 2021 Patch Tuesday Addresses 82 CVEs (CVE-2021-26411)
blogs_tenable·2021-03-09·CVSS 8.8
[HIGH] Microsoft’s March 2021 Patch Tuesday Addresses 82 CVEs (CVE-2021-26411)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
blogs_talos·2021-03-09·CVSS 8.8
[HIGH] Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Nick Biasini.
Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year.
There are 14 critical vulnerabilities as part of this release and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails. Microsoft also announced Monday they were releasing patches for older versions of Exchange Server.
All organizations using the affected software should prevent external access to port 443 on Exchange Servers, or set up a VPN to provide external access to port 443. Thi
Qualys
March 2021 Patch Tuesday – 82 Vulnerabilities, 10 Critical, Adobe
blogs_qualys·2021-03-09·CVSS 7.8
CVE-2021-26411 [HIGH] March 2021 Patch Tuesday – 82 Vulnerabilities, 10 Critical, Adobe
This month’s Microsoft Patch Tuesday addresses 82 vulnerabilities, of which 10 are rated with Critical severity. This follows an out-of-band security update on March 2 to address critical vulnerabilities in Microsoft Exchange. Adobe released patches today for its FrameMaker, Creative Cloud Desktop, and Adobe Connect products.
## Internet Explorer Memory Corruption Vulnerability
Microsoft released patches addressing another 0-day vulnerability (CVE-2021-26411). This is a memory corruption vulnerability in Internet Explorer. This CVE already has a working exploit and is assigned a CVSSv3 base score of 8.8 by the vendor.
## Windows Hyper-V Remote Code Execution (RCE) Vulnerability
Microsoft released patches to fix a RCE vulnerability in Windows Hyper-V (CVE-2021-26867). This vulnerability
Talos
Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
blogs_talos·2021-03-09·CVSS 8.8
[HIGH] Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Nick Biasini.
Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year.
There are 14 critical vulnerabilities as part of this release and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails . Microsoft also announced Monday they were releasing patches for older versions of Exchange Server .
All organizations using the affected software should prevent external access to
Crowdstrike
Patch Tuesday 2021: A Vulnerability Deep Dive
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Patch Tuesday 2021: A Vulnerability Deep Dive
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Crowdstrike
Magniber Ransomware Caught Using PrintNightmare Vulnerability
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Magniber Ransomware Caught Using PrintNightmare Vulnerability
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
Patch Tuesday 2021: A Vulnerability Deep Dive
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Patch Tuesday 2021: A Vulnerability Deep Dive
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Threat Intel
APT37 (APT37, InkySquid, ScarCruft)
threat_intel
APT37 (APT37, InkySquid, ScarCruft)
# Threat Actor Profile: APT37
ATT&CK ID: G0067
Also known as: APT37, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, Ricochet Chollima
Suspected origin: China
## Overview
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)
North Korean group definitions are
Zscaler
Zscaler protects against 7 new vulnerabilities for MS-Window
blogs_zscaler·CVSS 7.0
[HIGH] Zscaler protects against 7 new vulnerabilities for MS-Window
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Crowdstrike
March 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] March 2021 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
Magniber Ransomware Caught Using PrintNightmare Vulnerability
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Magniber Ransomware Caught Using PrintNightmare Vulnerability
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2021-03-11
Published
2021-11-03
Added to CISA KEV
Exploited in the wild