October 18, 2023 at 11:16AM
State-backed hacking groups, including Sandworm, APT28, and APT40, are exploiting a vulnerability in WinRAR to execute arbitrary code on targeted systems. The bug, known as CVE-2023-38831, has been exploited since April 2023, enabling threat actors to deliver various malware payloads. Despite a patch being available, many users remain vulnerable. Google emphasizes the importance of patching and keeping software up-to-date.
Key takeaways from the meeting notes are as follows:
1. Several state-backed hacking groups, including Sandworm, APT28, and APT40 from Russia and China, have been exploiting a high-severity vulnerability in WinRAR, a popular compression software used by over 500 million users.
2. Google’s Threat Analysis Group (TAG) has detected these state hackers targeting the vulnerability and has observed multiple government-backed hacking groups exploiting it.
3. The vulnerability, known as CVE-2023-38831, has been under active exploitation since at least April 2023, allowing threat actors to execute arbitrary code on the targeted systems.
4. Russian Sandworm hackers used phishing attacks to deliver Rhadamanthys infostealer malware to Ukrainian users.
5. ATP28, another Russian hacking group, targeted Ukrainian users using malicious PowerShell scripts to steal browser credentials.
6. Chinese hacking group APT40 exploited the WinRAR vulnerability in attacks against targets in Papua New Guinea.
7. The vulnerability has been used to deliver various types of malware payloads, including DarkMe, GuLoader, and Remcos RAT.
8. Some attacks targeted cryptocurrency and stock trading forums by impersonating fellow enthusiasts and sharing trading strategies to deceive victims.
9. Proof of concept exploits for the vulnerability began surfacing on public GitHub repositories shortly after Group-IB disclosed their findings.
10. The zero-day vulnerability was fixed with the release of WinRAR version 6.23 on August 2, along with other security flaws.
11. The widespread exploitation of the WinRAR vulnerability highlights the importance of patching and making it easy for users to keep their software secure and up-to-date.