Security
Headlines
HeadlinesLatestCVEs

Headline

APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

By Deeba Ahmed All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack. This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

HackRead
#vulnerability#web#windows#google#git#zero_day

According to Google’s Threat Analysis Group (TAG), the group exploiting the vulnerability comprises Sandworm, Fancy Bear, and APT40, all associated with the Russian government and military.

_KEY FINDINGS_

Google’s TAG researchers have found that government-sponsored hackers are actively exploiting an already discovered WinRAR vulnerability.

This vulnerability lets hackers execute arbitrary code on the targeted device.

Attackers can steal sensitive data, hijack the victim’s computer, and install malware.

State-sponsored actors from a number of countries are exploiting this vulnerability in their malicious operations.

Google has urged users to immediately apply the latest WinRAR patch to prevent their devices from being invaded by state-backed actors.

Organizations must protect their networks by implementing a robust vulnerability management program and deploying endpoint security solutions.

On August 25, 2023, Hackread.com reported a 0-day vulnerability in WinRAR, which was actively exploited worldwide, targeting 130 traders to successfully steal funds. It has now come to light that the vulnerability continues to be exploited, despite the availability of a security patch.

Google’s Threat Analysis Group (TAG) has discovered that state-backed threat actors are continuously exploiting a known vulnerability in the popular file archiver tool for Windows, WinRAR. The vulnerability is tracked as CVE-2023-38831, and it was exploited for the first time in early 2023 by cybercrime groups before it was identified by defenders. Now state-backed actors are exploiting it. Until August, this bug was exploited as zero-day. It was first reported by Group-IB researchers.

TAG’s Kate Morgan wrote in the report published on 18 October that despite that a patch was released soon after it was discovered, many devices remain unpatched and are vulnerable to exploitation. This is probably because the WinRAR tool doesn’t have an auto-update feature. It was fixed in WinRAR versions 6.24 and 6.23. Users have to download the patch manually.

Regarding the state-sponsored actors exploiting the WinRAR bug, TAG noted that three different clusters of attackers are involved. These include Sandworm aka FROZENBARENTS, Russian APT28 aka Fancy Bear or FROZENLAKE, and APT40 aka ISLANDDREAMS.

For your information, Sandworm is affiliated with the Russian Armed Forces’ Main Directorate of the General Staff Unit 74455 and likes to target the energy sector. The Ukrainian drone-based email campaign Sandworm launched on September 6th exploits this bug to deliver a ZIP archive file.

APT28 is also linked to the same unit but focuses on targeting Ukrainian government entities with a spearphishing campaign. APT40 is associated with the Chinese government and exploited this bug in late August to launch a phishing campaign targeting Papua New Guinea.

This vulnerability lets attackers execute arbitrary code on their targeted device by tricking the victim into opening a specially designed PNG file with a ZIP archive, leading to the stealing of sensitive data, installation of malware, or hijacking of the infected device. Since April 2023, cybercriminals have actively used this bug to target cryptocurrency trading accounts.

“A logical vulnerability within WinRAR causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces.”

Google’s Threat Analysis Group (TAG)

This widespread exploitation highlights that “exploits for known vulnerabilities can be highly effective, despite a patch being available” and indicates the importance of prompt application of security patches.

****Update Your WinRAR Installer to the Latest Version****

To safeguard your system and personal data from potential threats, it’s crucial to keep your WinRAR installer up-to-date with the latest version. Updating your WinRAR software ensures that you have the latest security patches and enhancements, significantly reducing the risk of falling victim to cyberattacks.

You can get WinRaR’s latest version on its official website. Don’t wait – stay protected by regularly checking for updates and applying them as soon as they become available. Your digital security depends on it.

_RELATED ARTICLES_

  1. The Best Way to Install and Set-Up WinRAR 64-bit
  2. WinRAR vulnerability allowed attackers to remotely hijack systems
  3. Hackers are using 19-year-old WinRAR bug to install nasty malware

Related news

'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

Who needs advanced malware when you can take advantage of a bunch of OSS tools and free cloud services to compromise your target?

Report Uncovers Massive Sale of Compromised ChatGPT Credentials

By Deeba Ahmed Group-IB Report Warns of Evolving Cyber Threats Including AI and macOS Vulnerabilities and Ransomware Attacks. This is a post from HackRead.com Read the original post: Report Uncovers Massive Sale of Compromised ChatGPT Credentials

Russian APT28 Hackers Targeting High-Value Orgs with NTLM Relay Attacks

Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with

Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities

Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering. The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE. "New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate

Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign

The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and

Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability

Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28,

Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group

By Waqas Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) is thought to have affiliations with or support from the Russian military intelligence agency. This is a post from HackRead.com Read the original post: Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group

Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks

A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan

Russian Cyber Espionage Group Deploys LitterDrifter USB Worm in Targeted Attacks

Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities. Check Point, which detailed Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are

SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities

The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a

Patch Now: APTs Continue to Pummel WinRAR Bug

State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.

Google TAG Detects State-Backed Threat Actors Exploiting WinRAR Flaw

A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively

Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as

Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with VenomRAT

A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as

WinRAR Remote Code Execution

This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.

Ukraine's CERT Thwarts APT28's Cyberattack on Critical Energy Infrastructure

The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain. “Visiting the link will download a ZIP archive containing three JPG images (

August 2023: GitHub PoCs, Vulristics, Qualys First-Party, Tenable ExposureAI, SC Awards and Rapid7, Anglo-Saxon list, MS Patch Tuesday, WinRAR, Juniper

Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]

WinRAR users update your software as 0-day vulnerability is found

By Habiba Rashid The 0-day vulnerability in WinRAR, which has been exploited, is targeting traders and has successfully stolen funds from 130 victims so far. This is a post from HackRead.com Read the original post: WinRAR users update your software as 0-day vulnerability is found

WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders

A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as CVE-2023-38831, allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files.

CVE-2023-38831

RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.