Patch WinRAR now – it’s got a major security flaw
Russian and Chinese state-sponsored threat actors have been discovered to be exploiting a known vulnerability in the popular archiving tool WinRAR to extract sensitive information such as passwords and other credentials.
Google’s Threat Analysis Group (TAG), which typically tracks and analyzes state-sponsored hackers, claims to have found evidence that the flaw, previously identified by Group-IB as CVE-2023-38831, was used to introduce malware into archived files to hide .
To the average Joe, the files look like an average image or text document. However, when downloaded and extracted, they infect the device with information-stealing malware, which is capable of obtaining various files and information from the endpoint, such as passwords and payment details stored in browsers, various system information and more.
Sandworm, APT40 and others
To make matters worse, these aren’t just one or two groups targeting WinRAR users – apparently they are “several” groups targeting “many users” who have yet to apply the patch.
The patch does exist, but RarLab, the company behind WinRAR, released version 6.23 in early August this year to fix the problem. However, there is no way to update the program from within. Users need to go to the WinRAR website, download the latest version and run the installer as if they were installing the program from scratch.
However, users will want to patch as one of the groups was identified as Sandworm, a Russian military intelligence unit that allegedly meddled in the 2016 presidential election in the United States. It was also seen as quite an active player in the war between Russia and Ukraine and was behind the infamous 2017 NotPetya ransomware attack.
Another identified player is APT40, a Chinese hacking collective said to have ties to the Chinese Ministry of State Security. It used the flaw to target endpoints in Papua New Guinea via a Dropbox link.
The WinRar vulnerability “highlights that exploits for known vulnerabilities can be highly effective,” TAG researchers concluded.
Through TechCrunch