Flood of exploits targetting ancient WinRAR flaw continues

Identified as CVE-2018-20250, an ancient WinRAR vulnerability made public in February is now well on its way to becoming one of the most widely and rapidly-exploited security flaws of recent times.

The latest evidence is a report from Microsoft’s Office 365 Threat Research team which identified it as being used by the ‘MuddyWater’ APT group to target organizations in the satellite and communications industry.

For those unfamiliar with WinRAR, it’s a hugely popular Windows compression utility dating back to the 1990s which, a security company discovered, had a serious RCE flaw that had been sitting inside it for 19 years.

WinRAR was far too tempting for cybercriminals to ignore, within days stirring up a hornet’s nest of exploits to the tune of 100 or more.

Exploiting the vulnerability depended on a defunct file format called ACE, support for which was dropped by the utility’s developers with the release of version 5.71 beta after they were told of the issue in advance of its disclosure.

That was weeks before its existence became public but unfortunately, news travels slowly and a lot of users failed to update.

In that sense, Microsoft’s blog about recent targeted attacks serves as a warning to organisations or individuals who haven’t done that yet.

Detected in early March, it’s a sophisticated nation-state phishing attack (hence the APT designation, which signifies this type of attacker), which uses a Word attachment that claims to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan as the lure.

Opening this triggers a further download from a OneDrive link (now inactive) to an archive containing a second Word file within which is embedded a macro initiating the payload.

Eventually a PowerShell script, which opens a command backdoor for the attackers to deliver the malicious ACE file with the CVE-2018-20250 exploit.

It’s involved stuff because the attackers still have to trick the user via a bogus warning dialogue into restarting the PC for the attack to work. Despite that, this kind of attack is founded on a percentages game that assumes someone will fall for the ruse – and one is more than enough for a targeted attack.

As Microsoft observes:

The attacks that immediately exploited the WinRAR vulnerability demonstrate the importance of threat & vulnerability management in reducing organizational risk.

What is striking is how similar the attack design described by Microsoft is to numerous other reported attacks exploiting the same WinRAR vulnerability.

How did a flaw stay hidden for so long?

Because software development can be complicated, as WinRAR’s developers noted in their release notes for the patched version:

WinRAR used this third-party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.

Patch or remove

Apart from updating and/or removing WinRAR, admins might want to send out a warning about the attack MO, especially the issue of not opening ACE archives under any circumstances (remembering that archives can be renamed to bypass suspicion).

The other takeaway is not to assume that because the attacks detected so far have been connected to nation states that this will always be the case. Commercial exploits won’t be far behind – WinRAR’s half a billion reported users is a lot of victims to aim at.