Lazarus Group Targets Healthcare Sector via ManageEngine Vulnerability

Kamso Oguejiofor-Abugu Kamso Oguejiofor-Abugu Writer

The Health Sector Cybersecurity Coordination Center (HC3) of the US Department of Health and Human Services (HHS) has issued urgent warnings about the North Korean state-sponsored Lazarus Group targeting healthcare organizations in the United States and Europe.

“The attackers have been exploiting a vulnerability in ManageEngine products, which is tracked as CVE-2022-47966,” HC3 said in a section report. “CVE-2022-47966 is a critical vulnerability that affects twenty-four of ManageEngine’s products and allows an attacker to perform remote code execution. This vulnerability is exploitable if the SAML single-sign-on is or ever has been enabled in the ManageEngine setup.”

Lazarus Group is deploying a remote access trojan (RAT) known as “QuiteRAT,” which is reportedly the successor to “MagicRAT.” The group is also using a new malware tool called “CollectionRAT,” which allows the attacker to run arbitrary commands on the infected system.

“This new threat is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus subgroup, Andariel,” the section report reads. “CollectionRAT is also used for gathering metadata, managing files on the infected system, and delivering additional payloads.”

Citing an open-source report by Cisco Talos, HC3 notes that this is the third documented exploit campaign by Lazarus in less than a year. The Cybersecurity and Infrastructure Security Agency (CISA) had added CVE-2022-47966 to its known exploited vulnerabilities catalog earlier this year.

HC3 strongly advises healthcare organizations to update the affected software to the latest version to patch the vulnerability. HC3 also provided links to known indicators of compromise (IOCs) that can help organizations identify exploits in their ManageEngine systems.

While the focus is currently on the Lazarus Group, experts caution against hyper-focusing on a single adversary. Caitlin Condon, head of vulnerability research at security firm Rapid7, noted that various ManageEngine vulnerabilities have been exploited by different threat actors over the years.

As healthcare entities continue to be lucrative targets for cybercriminals, organizations are urged to be proactive in implementing safeguards, patching vulnerabilities, and defending against a broad spectrum of threats.

About the Author

About the Author

Kamso Oguejiofor is a former Content Writer at SafetyDetectives. He has over 2 years of experience writing and editing topics about cybersecurity, network security, fintech, and information security. He has also worked as a freelance writer for tech, health, beauty, fitness, and gaming publications, and he has experience in SEO writing, product descriptions/reviews, and news stories. When he’s not studying or writing, he likes to play basketball, work out, and binge watch anime and drama series.