Hackers in Russia and China persist in exploiting vulnerabilities discovered in older versions of compression software.
Government-backed hackers from Russia and China have been taking advantage of a well-known vulnerability in outdated versions of WinRAR, which is the world’s most widely used compression tool with over 500 million users. Google’s Threat Analysis Group (TAG) reported on Wednesday that they had detected several government-backed hacking campaigns leveraging the WinRAR vulnerability since early 2023.
Kate Morgan from Google emphasized the importance of safeguarding against such threats by keeping software up-to-date and promptly installing security updates when they are released. This proactive approach is essential for ensuring protection against vulnerabilities like the one exploited by these hackers.
The vulnerability in question affects all of RARLAB’s WinRAR products released before version 6.23, which was launched in August shortly after the bug’s discovery. This vulnerability came to light thanks to Group-IB, who revealed how hackers managed to infiltrate a finance forum catering to traders, infecting 130 devices belonging to forum members and withdrawing funds from their brokerage accounts.
Andrey Polovinkin, a Malware Analyst at Group-IB, explained in an August blog post that the cybercriminals exploited a vulnerability that allowed them to deceive users by spoofing file extensions. This enabled them to conceal the launch of malicious scripts within an archive file that appeared to be a harmless file format like ‘.jpg’ or ‘.txt’. Hackers in Russia
Google identified the Russian Armed Forces group known as “Sandworm” as one of the hacking entities exploiting this vulnerability in WinRAR’s code. Sandworm specifically targeted users with ties to the energy and defense sectors in Ukraine and Eastern Europe through phishing campaigns. Another group referred to as “APT 40,” which has been linked to China’s State Department, was identified by Google as conducting a malicious campaign against Papua New Guinea.
In the release notes for WinRAR version 6.23, the first update designed to address this vulnerability, RARLAB expressed gratitude to Group-IB and the Zero Day Initiative for bringing the issue to their attention. They “highly recommend installing the latest version” to protect against this vulnerability.
It’s a well-known fact that users often neglect to update their software, especially those who may not be entirely comfortable with computers. This underscores the critical importance of keeping software up to date, particularly for security-related updates.