October 19, 2023 at 11:05AM
State-sponsored threat actors from Russia and China are exploiting the WinRAR vulnerability in unpatched systems to deliver malware. Google TAG has observed attacks targeting organizations in Ukraine and Papua New Guinea. The flaw is a known vulnerability in WinRAR, but many systems remain vulnerable. Patching remains a global challenge for software users.
Key takeaways from the meeting notes:
1. State-sponsored threat actors from Russia and China are exploiting the WinRAR vulnerability (CVE-2023-38831) in unpatched systems to deliver malware to targets. This includes infostealers and backdoor malware.
2. The primary perpetrators of the attacks on WinRAR are Russia-backed advanced persistent threat (APT) groups, including Sandworm and APT28. These groups have been launching phishing campaigns and impersonating organizations to deliver malware.
3. A China-backed group known as IslandDreams (APT40) has also been involved in targeting systems in Papua New Guinea with infostealers.
4. RarLab has released patches for the vulnerability, but many systems remain vulnerable due to slow patching rates.
5. The flaw in WinRAR allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.
6. Proof-of-concept exploits and exploit generators for the WinRAR vulnerability have appeared on public GitHub repositories, leading to further attacks.
7. The attacks have been observed to use various methods, such as weaponized ZIP files, decoy PDF documents, and exploitation of browser vulnerabilities.
8. Timely patching is crucial to prevent exploitation of vulnerabilities like the WinRAR flaw, highlighting the ongoing challenge of keeping software secure and up-to-date.
It is recommended to prioritize patching systems to protect against the WinRAR vulnerability and remain vigilant against phishing campaigns.