State-sponsored threat actors from Russia and China have been exploiting a high-severity vulnerability in WinRAR [2], known as CVE-2023-38831 [2] [3] [5]. This vulnerability allows attackers to gain arbitrary code execution on targeted systems [5].

Description

These hackers [5], including Sandworm [3] [4] [5], APT28 [1] [2] [4] [5], and APT40 [3] [4] [5], have been able to extract sensitive information by hiding malware in archived files, which appear as normal images or text documents [3]. They launch phishing campaigns and distribute malicious ZIP files to carry out their attacks. Specifically, government organizations in Ukraine and Papua New Guinea have been targeted [2].

Sandworm [1] [2] [3] [4] [5], a Russian military intelligence unit known for interfering in the 2016 US presidential elections and the Russia-Ukraine war [3], uses phishing attacks to deliver Rhadamanthys infostealer malware [5]. APT28 [1] [2] [4] [5], also known as Fancy Bear and believed to be sponsored by the Russian government [1], targets Ukrainians in the energy sector with exploits hosted on free servers. APT40 [2] [3] [4] [5], a Chinese hacking collective allegedly tied to the Chinese Ministry of State Security [3], targets Papua New Guinea using ISLANDSTAGER and BOXRAT to establish persistence on compromised systems [5].

Google’s Threat Analysis Group (TAG) has observed these activities and has shared indicators of compromise (IoCs) related to these attacks. The widespread exploitation of this vulnerability highlights the effectiveness of known vulnerabilities [1] [2], even when a patch is available [1]. These state-sponsored threat actors are exploiting the WinRAR vulnerability (CVE-2023-38831) to deliver malware to unpatched systems [4]. Attacks have been observed targeting organizations in Ukraine and Papua New Guinea [4]. The flaw is a known and patched vulnerability in WinRAR [4], but systems that have not been updated remain vulnerable [4]. Russia-backed APT groups [4], including Sandworm and APT28 [3] [4] [5], have been identified as the primary perpetrators of these attacks [4]. A China-backed group known as APT40 has also been involved in delivering malware [4]. Despite the availability of patches [4], many systems remain vulnerable due to slow patching rates [4].

Conclusion

The exploitation of the WinRAR vulnerability by state-sponsored threat actors from Russia and China has significant impacts. It allows attackers to gain unauthorized access to sensitive information and compromise targeted systems. While patches are available, the slow rate of patching leaves many systems vulnerable. This highlights the need for organizations to prioritize timely patching and stay vigilant against phishing campaigns and malicious files. The actions of these threat actors also have future implications, as they demonstrate the ongoing threat posed by state-sponsored cyber attacks and the importance of robust cybersecurity measures.

References

[1] https://www.helpnetsecurity.com/2023/10/18/apts-winrar-cve-2023-38831/
[2] https://thehackernews.com/2023/10/google-tag-detects-state-backed-threat.html
[3] https://www.techradar.com/pro/security/patch-winrar-now-its-got-a-major-security-flaw
[4] https://www.darkreading.com/attacks-breaches/patch-now-apts-pummel-winrar-bug
[5] https://www.redpacketsecurity.com/google-links-winrar-exploitation-to-russian-chinese-state-hackers/