Feds Warn Health Sector of Lazarus Group AttacksHHS: North Korean-Sponsored Group Is Exploiting Critical Zoho ManageEngine Flaw
Federal authorities are warning of "significant risk" for potential attacks on healthcare and public health sector entities by the North Korean-state sponsored Lazarus Group involving exploitation of a critical vulnerability in 24 ManageEngine IT management tools from Zoho.
The alert issued Tuesday by the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center warns that the cybercriminal group has been targeting "internet backbone infrastructure and healthcare entities" in Europe and the United States with exploits of a vulnerability tracked as CVE-2022-47966.
The vulnerability is exploitable if the SAML single sign-on is or ever has been enabled in the ManageEngine setup, HHS HC3 said.
Attackers are exploiting the vulnerability to deploy the remote access Trojan QuiteRAT, HHS HC3 said. "Security researchers previously identified this malware in February 2023, and it is reportedly the successor to the group's previously used malware 'MagicRAT,' which contains many of the same capabilities."
Analysis also shows that the Lazarus Group is using a new malware tool called CollectionRAT, which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities, HHS HC3 warned.
CollectionRAT is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus subgroup, Andariel, HHS HC3 said. "CollectionRAT is also used for gathering metadata, managing files on the infected system and delivering additional payloads."
CISA added the CVE-22022-47966 flaw to its known exploited vulnerabilities catalog in January. Zoho ManageEngine said it had fixed the issue by updating a third-party module to the most recent version. HHS HC3 said it strongly advises healthcare and public health sector organizations to update the affected software to the latest version.
The HHS HC3 alert follows a similar bulletin issued on Sept. 9 jointly by CISA and the FBI that warned of nation-state-sponsored actors exploiting CVE-2022-47966 in ManageEngine, as well as an unrelated vulnerability, CVE-2022-42475, in Fortinet FortiOS SSL VPN (see: Feds Urge Immediate Patching of Zoho and Fortinet Products).
Security researchers at Cisco Talos reported in an August blog post about evolving Lazarus Group threats involving the ManageEngine CVE-22022-47966 vulnerability.
"Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase," Cisco Talos wrote.
Caitlin Condon, head of vulnerability research at security firm Rapid7, told Information Security Media Group that various ManageEngine vulnerabilities have been exploited by a variety of threat actors in the past several years.
"While the HHS warning may be about a specific threat, we would strongly advise organizations not to hyper-focus on one adversary when there's evidence that a variety of attackers are targeting known ManageEngine CVEs," she said.
In the bigger picture, healthcare and public health sector entities are also facing other serious threat actors, according to Condon. "In the first half of 2023, the major financially motivated groups we saw targeting the HPH sector were ransomware groups like Rhysida and Stop/Cuba," she said.
"We have not specifically attributed any recent attacks to the Lazarus Group, though our threat analytics team does track state-sponsored attacks more generally," Condon told ISMG. "Exploiting public-facing applications - such as ManageEngine applications - was the top technique we saw across state-sponsored attacks in the first half of 2023."
CVE-2022-47966 has been exploited in the past to deploy coin miners, web shells and ransomware in target environments, she said.
"We consider it a widespread threat and would advise organizations to patch on an emergency basis if they have not already done so," Condon said. "There is considerable risk from unpatched installations given that CVE-2022-47966 has been a known risk for the better part of a year, and attackers may have already leveraged the vulnerability as an initial access vector for more wide-ranging operations."