October 19, 2023 at 12:33AM
State-backed threat actors from Russia and China are exploiting a security flaw in the WinRAR archiver tool for Windows. The vulnerability (CVE-2023-38831) allows attackers to execute code when a user tries to view a benign file in a ZIP archive. The attackers include FROZENBARENTS (Sandworm), FROZENLAKE (APT28), and ISLANDDREAMS (APT40). These groups have launched phishing attacks targeting Ukraine and Papua New Guinea, using the exploit to deliver malware and backdoors. Despite a patch being available, the widespread exploitation highlights the effectiveness of known vulnerabilities.
Key takeaways from the meeting notes:
1. State-backed threat actors from Russia and China have been exploiting a security flaw in the WinRAR archiver tool for Windows.
2. The vulnerability is known as CVE-2023-38831 and allows attackers to execute arbitrary code when a user views a benign file within a ZIP archive.
3. The vulnerability has been actively exploited since April 2023.
4. Google Threat Analysis Group (TAG) has identified three different threat actors involved: FROZENBARENTS (Sandworm), FROZENLAKE (APT28), and ISLANDDREAMS (APT40).
5. Sandworm launched a phishing attack impersonating a Ukrainian drone warfare training school and distributed a malicious ZIP file containing Rhadamanthys malware.
6. APT28 targeted government organizations in Ukraine with a file masquerading as an event invitation from Razumkov Centre.
7. APT40 launched a phishing campaign targeting Papua New Guinea, which included a Dropbox link to a ZIP archive containing the exploit.
8. The attacks resulted in the execution of PowerShell scripts and the deployment of various malware, including information stealers and backdoors.
9. Other state-sponsored adversaries, such as Konni and Dark Pink, have also been exploiting the WinRAR flaw.
10. The widespread exploitation of this vulnerability highlights the effectiveness of known exploits, even when patches are available.
Please note that these summarized takeaways may not capture all the details from the meeting notes.