Patch up, please: state-backed actors still exploiting known WinRAR vulnerability


Multiple state-backed hacking groups from Russia, China, and elsewhere have been exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations in the last few weeks.

The vulnerability in question is called CVE-2023-38831, according to Google’s Threat Analysis Group (TAG). Threat actors started exploiting it in early 2023, when the flaw was still unknown in the industry.

Government-backed groups have been exploiting the vulnerability, which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.

ADVERTISEMENT

Google’s TAG attributes the malicious activities to three different clusters – FROZENBARENTS (also known as Sandworm), FROZENLAKE (also known as APT28), and ISLANDDREAMS (also known as APT40).

Sandworm, linked to Russian Armed Forces’ Main Directorate of the General Staff Unit 74455, has usually targeted the energy sector, also concentrating on its hack and leak operations.

But on September 6th, it launched an email campaign impersonating a Ukrainian drone warfare training school. A link in the emails delivered a malicious ZIP file exploiting CVE-2023-388831.

APT28 is connected to the same Russian military institution and has targeted government organizations in Ukraine with a spearphishing campaign. The group used a decoy document – an event invitation from Razumkov Centre, a public policy think tank in Ukraine – to deliver the exploit.

ukraine-invite-link1
APT28 used a fake event invitation from a think tank to deliver the exploit. Courtesy of Google.

APT40, which is close to the government of China, launched a phishing campaign targeting Papua New Guinea in late August.

Up until August, the vulnerability had been exploited as zero-day by cybercrime actors. After a blog post from Group-IB detailed the threat, a patch has been made available, Google’s TAG said.

However, many users still seem to be vulnerable. That’s because the patching rates have been slow, and threat actors are able to continue to rely on n-days – flaws that are already publicly known.

ADVERTISEMENT

“To ensure protection, we urge organizations and users to keep software fully up-to-date and to install security updates as soon as they become available,” Google’s specialists said.

“The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available. These recent campaigns underscore the importance of patching.”