Lazarus Group Exploits ManageEngine Vulnerability

Cisco Talos has published an open-source report regarding the North Korean state-sponsored actor, the Lazarus Group, reported to be targeting internet backbone infrastructure and healthcare entities in Europe and the United States. The attackers have been exploiting a vulnerability in ManageEngine products, which is tracked as CVE-2022-47966. This vulnerability was added to the Cybersecurity and Infrastructure Security Agency’s (CISA)  Known Exploited Vulnerabilities Catalog in January 2023. Through this exploit, the attackers are deploying the remote access trojan (RAT) known as “QuiteRAT.” Security researchers previously identified this malware in February 2023, and it is reportedly the successor to the group’s previously used malware “MagicRAT,” which contains many of the same capabilities. Further analysis of this campaign has also shown that the group is using a new malware tool called “CollectionRAT,” which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities. Both CISA and the FBI have previously warned that these types of vulnerabilities are common attack methods for malicious actors and can pose a significant risk to healthcare and public health organizations.
This HC3 Sector Alert provides additional details, indicators of compromise, mitigation recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals.