Federal authorities have issued a warning about potential cyberattacks by the North Korean-sponsored Lazarus Group targeting healthcare and public health sector entities. These attacks exploit a critical vulnerability in 24 ManageEngine IT management tools from Zoho.
Furthermore, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center highlighted the “significant risk” posed by the group, which has been targeting internet backbone infrastructure and healthcare entities in Europe and the United States. The vulnerability, tracked as CVE-2022-47966, allows attackers to deploy the QuiteRAT remote access Trojan.
Additionally, the Lazarus Group has introduced a new malware tool called CollectionRAT, which appears to function like most RATs, enabling attackers to execute arbitrary commands and perform other malicious activities.
CollectionRAT is believed to be linked to the Jupiter/EarlyRAT malware family, previously associated with a Lazarus subgroup called Andariel. CISA has included the CVE-22022-47966 flaw in its list of known exploited vulnerabilities since January, and Zoho ManageEngine has addressed the issue by updating a third-party module to the latest version. The HHS HC3 strongly advises healthcare and public health sector organizations to promptly update the affected software.
This warning follows a bulletin jointly issued by CISA and the FBI in September, cautioning about nation-state-sponsored actors exploiting the ManageEngine vulnerability, along with an unrelated vulnerability in Fortinet FortiOS SSL VPN. Lazarus Group’s tactics are evolving, with a shift towards using open-source tools and frameworks in the initial access phase of attacks.
While the HHS warning focuses on a specific threat, organizations are urged not to narrow their focus on one adversary, as multiple attackers are targeting known ManageEngine CVEs. Healthcare and public health sector entities are also under threat from ransomware groups like Rhysida and Stop/Cuba, highlighting the need for comprehensive cybersecurity measures.