State-Sponsored Threat Actors are Exploiting Known WinRAR Vulnerability
Google’s Threat Analysis Group (TAG) has “observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR” a Windows file archiving utility. The high-severity bug has been exploited since early 2023; RARLabs released WinRAR 6.23 in August to address the vulnerability.
You may be noticing a recurring theme of exploiting unpatched vulnerabilities recently. The take-away is to make sure that you’re applying patches, particularly critical ones, in a timely fashion. Where you have long intervals between updates, e.g., in business or mission critical systems, maximize the defenses around those to reduce the risk. Updates to end-user, commodity, and perimeter systems should be standardized changes so you can apply patches rapidly.
This is an example of cybercriminals ‘banking’ on organizations’ slowness in downloading and installing software updates. The zero-day was first seen in the wild in early April, but you really couldn’t do much but monitor for signs of attack. Fast-forward, update released in August that fixes the underlying vulnerability. Fast-forward again to October and organizations still being exploited. Unfortunately, still a lot of work to be done in automating the software update process to get out in front of the exploit cycle.
Read more in
Dark Reading: Patch Now: APTs Continue to Pummel WinRAR Bug
Bleeping Computer: Google links WinRAR exploitation to Russian, Chinese state hackers
Gov Infosecurity: Nation-State Hackers Exploiting WinRAR, Google Warns