State-sponsored hackers from Russia and China have targeted a vulnerability in older versions of WinRAR, the leading compression software boasting over half a billion users worldwide. Google’s Threat Analysis Group (TAG) reported on Wednesday that it has tracked multiple hacking attempts leveraging this WinRAR glitch since early 2023.
Google’s Kate Morgan, in a TAG announcement, emphasized the importance of regular software updates: “For robust security, we strongly advise both organizations and individual users to regularly update software and promptly apply security patches.”
The affected versions include all WinRAR products by RARLAB up until version 6.23, which was rolled out in August after the flaw was identified. Cybersecurity firm Group-IB initially highlighted the flaw, detailing an incident where hackers infiltrated a financial forum, compromised 130 member devices, and unauthorizedly accessed their financial assets.
According to Andrey Polovinkin, a Malware Analyst at Group-IB, hackers leveraged this loophole to disguise malicious scripts as harmless file types like .jpg or .txt.
Google pointed out “Sandworm,” associated with the Russian Armed Forces, as a key perpetrator capitalizing on this vulnerability. Notably, Sandworm’s phishing efforts were directed towards individuals affiliated with Ukraine and Eastern Europe’s energy and defense sectors. Another group, “APT 40” — believed to have connections with China’s State Department — launched a cyber-attack on Papua New Guinea.
When releasing version 6.23, the patch for the identified bug, RARLAB expressed gratitude to Group-IB and the Zero Day Initiative for flagging the issue and urged users to upgrade to the latest software version.
It’s widely recognized that software updating habits among users, particularly those less tech-savvy, aren’t as consistent as needed.
Highlighting the critical nature of timely software patches, Google’s TAG team commented, “The recurring exploits on the WinRAR vulnerability emphasize the urgency of updates, highlighting the ongoing need to simplify the process for users to secure their software.”