Recent reports from Google’s Threat Analysis Group (TAG) have revealed that government-backed hackers connected to Russia and China are actively exploiting a previously patched vulnerability in WinRAR, a popular file archiving software for Windows. The flaw, known as CVE-2023-38831, allows attackers to conceal malicious scripts in archive files that appear harmless, such as images or text documents.
Key Takeaway
Russia and China-backed hacking groups are actively exploiting a previously patched vulnerability in WinRAR, a popular file archiving software for Windows. The flaw allows attackers to hide malicious scripts in seemingly harmless archive files, putting users at risk. Promptly updating software and remaining cautious of phishing attempts is crucial to mitigate the threat.
The initial discovery of the WinRAR vulnerability was made earlier this year by cybersecurity company Group-IB. They identified the flaw as a zero-day, indicating that the developer had no time to fix the bug before it was exploited. Group-IB disclosed that the vulnerability had been used since April, targeting at least 130 traders and compromising their devices.
In response to the discovery, Rarlab, the maker of WinRAR, released an updated version of the software (version 6.23) on August 2 to patch the vulnerability. However, Google’s TAG researchers emphasize that many users have not yet updated their software, leaving them vulnerable to exploitation.
Government-Backed Hacking Groups Exploiting the Vulnerability
TAG researchers have attributed the exploitation of the WinRAR zero-day bug to multiple government-backed hacking groups linked to Russia and China. One of these groups is Sandworm, a Russian military intelligence unit known for its destructive cyberattacks, including the notorious NotPetya ransomware attack in 2017. TAG observed Sandworm utilizing the WinRAR vulnerability in early September through a malicious email campaign posing as a Ukrainian drone warfare training school. When victims opened the attached archive file, their devices became infected with information-stealing malware that extracted browser passwords.
Another prominent hacking group involved in exploiting the vulnerability is APT28, commonly known as Fancy Bear, which has strong ties to Russia. Fancy Bear gained infamy for its involvement in the hack-and-leak operation against the Democratic National Committee in 2016. In this case, the group used the WinRAR zero-day bug to target Ukrainian users through an email campaign impersonating a public policy think tank in the country called the Razumkov Centre.
In addition to Russian hackers, evidence suggests that Chinese-backed hacking group APT40, associated with China’s Ministry of State Security, has also taken advantage of the WinRAR vulnerability. These hackers launched a phishing campaign targeting individuals in Papua New Guinea, using a Dropbox link to an archive file containing the exploit.
Ineffective Patching Rates Facilitate Exploitation
One crucial takeaway from these recent developments is that exploits targeting known vulnerabilities can still have a significant impact. Attackers often exploit slow patching rates among users, leaving many devices vulnerable. This emphasizes the urgent need for users to promptly update their software to the latest versions and stay vigilant against phishing attempts and malicious email campaigns.
