Lazarus Threat Group Targets Healthcare With ManageEngine Vulnerability

September 20, 2023 - The Lazarus Group, a North Korean state-sponsored cyber threat group, has been actively targeting healthcare entities and internet backbone infrastructure in Europe and the US, the Health Secor Cybersecurity Coordination Center (HC3) warned in its latest sector alert.

Citing an open-source report published by Cisco Talos, HC3 detailed the tactics of Lazarus, which has been exploiting a known critical vulnerability (CVE-2022-47966) in ManageEngine products. ManageEngine offers more than 60 enterprise IT management tools that help organizations manage networks, servers, applications, Active Directory, desktops, and more.

These exploits constitute the third documented campaign attributed to Lazarus in less than a year, Cisco Talos noted.

The vulnerability received a CVSS score of 9.8 and was first logged in January 2023. This vulnerability is known to impact 24 ManageEngine products, allowing it to perform remote code execution. Lazarus threat actors are using the vulnerability to deploy a remote access trojan (RAT) known as “QuiteRAT,” which is believed to be the successor of “MagicRAT.”

“Further analysis of this campaign has also shown that the group is using a new malware tool called ‘CollectionRAT,’ which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities,” the sector alert stated.

“Both CISA and the FBI have previously warned that these types of vulnerabilities are common attack methods for malicious actors and can pose a significant risk to healthcare and public health organizations. HC3 strongly encourages organizations to update these systems.”

HC3 provided links to known indicators of compromise (IOCs) that healthcare organizations can use to identify exploits in their ManageEngine systems.

The vulnerability can be patched by updating the third-party module to the most recent version. HC3 urged organizations to apply the update as soon as possible.

In other news, HC3 recently released a sector alert about the Akira ransomware group, another group that has been targeting healthcare. Akira has claimed more than 60 victims across multiple sectors, including healthcare, real estate, manufacturing, and finance.

Akira ransomware actors have been observed leveraging compromised credentials and taking advantage of weaknesses in virtual private networks (VPNs). Other tactics include phishing emails, trojans, and drive-by download attacks.

“Like many ransomware groups, they employed the double-extortion technique against their victims by exfiltrating data prior to encryption,” the alert noted. “It is also believed that the group may contain some affiliation with Conti due to observed overlap in their code and cryptocurrency wallets.”

As always, healthcare organizations are encouraged to be proactive when it comes to implementing safeguards, patching vulnerabilities, and defending against ransomware as a sector.