Lazarus Group Actively Exploiting ManageEngine Vulnerability in Attacks on Healthcare Organizations
Healthcare organizations in the United States have been warned that a vulnerability in Zoho’s ManageEngine products is being actively exploited by the North Korean state-sponsored threat actor, the Lazarus Group.
The vulnerability is tracked as CVE-2022-47966 and affects 24 ManageEngine products. The vulnerability can be exploited if SAML single-sign-on is enabled or has ever been enabled in a vulnerable ManageEngine product. Successful exploitation of the flaw allows a threat actor to remotely execute code.
The Lazarus Group has been exploiting the vulnerability to deliver a remote access trojan (RAT) called QuiteRAT, which is believed to be the successor of MagicRAT. Some attacks have seen a new malware tool deployed called CollectionRAT. Both of these malware variants allow the threat actor to perform a range of actions, including arbitrary command injection. According to researchers at Cisco Talos, the Lazarus Group has been targeting Internet backbone infrastructure and healthcare organizations in Europe and the United States since February, with the first attacks starting within 5 days of a proof-of-concept exploit being published.
Zoho released patches for all affected products in October 2022 and recommended immediate patching. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog in January 2023; however, many organizations have been slow to patch.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Health Sector Cybersecurity Coordination Center has published Indicators of Compromise (IoCs) in a September 18, 2023, Sector Alert and strongly encourages all healthcare organizations to ensure that they are running the most recent ManageEngine version.
