TECH NEWS – Yes, the WinRAR that not many of us have bought (and whose easter egg everyone has tried at least once when clicking on the book logo in the program’s About section, it pops down to the bottom of the window…).

The Ukrainian authorities claim that Russian hackers are using the WinRAR file compression tool to delete more data on government computers. According to the CERT-UA, the Ukrainian government’s computer emergency response team, Russian hackers (most likely the notorious Sandworm group) have gained possession of compromised VPN accounts through which they could gain access to official Ukrainian state networks.

CERT-UA claims that the attackers used the RoarBAT script. It searches the targeted computer for files with the following extensions: .doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .jpeg, .jpg, .zip, .rar, .7z, so that mainly the file types used by official documents are at risk. These files are archived with WinRAR but with the -df option, meaning that once the compressed archive is created, the script deletes the original file(s), leaving only a complete data loss.

WinRAR is everywhere, and even Linux users are not immune, as machines running these operating systems can also be attacked with a BASH script and the basic dd program. According to CERT-UA, the attack is suspiciously similar to the one previously perpetrated against the Ukrainian state news agency Ukrinform, which was attributed to the Sandworm group. “The method of implementing the malicious plan, the IP addresses of the access subjects, and the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform,” CERT-UA wrote.

Thus, Ukrainian state employees should, by all means, strengthen their protection for VPNs (perhaps they should look to Proton…?) and, at a minimum, activate MFA, i.e., multi-factor authentication, to keep unauthorized users off internal state networks. Hopefully, they will do this soon, if they haven’t already.

Source: PCGamer