HC3: Lazaraus Group malware targets health systems’ ManageEngine vulnerabilities
The Lazaraus Group, whose Cisco Talus reportedly targets Internet backbone infrastructure and healthcare entities in Europe and the United States, developed its MagicRAT malware and deployed the Trojan within five days of discovering the vulnerability in ManageEngine products in January. Cybersecurity Coordination Center said.
WHY IT MATTERS
The Lazzarus Group can exploit the CVE-2022-47966 vulnerability — if SAML single sign-on is or has ever been enabled in the ManageEngine installation — and perform remote code execution, HC3 said Monday in its alert.
The exploit saw the attackers deploy the remote access trojan known as QuietRAT, which security researchers identified in February 2023 as a successor to the group’s previously used malware, MagicRAT, “which contains many of the same capabilities.”
QuietRAT has a file size of 4 MB. It “lacks the ability to perform persistence capabilities on its own, and the hackers must perform this task separately,” HC3 said.
HC3 also said that the group is now using a new malware tool called CollectionRAT, “which appears to work like most RATs, by allowing the attacker to execute arbitrary commands, among other capabilities.” This malware is believed to be part of the Jupiter/EarlyRAT malware family previously linked to a Lazarus subgroup, Andariel.
Note that machine learning and heuristic analysis are less reliable because both RATS are built on the less commonly used Qt framework, the organization said.
ManageEngine has released patches for everyone affected products in October 2022, according to the indicators of compromise information to which HC3 is linked.
THE BIG TREND
OrthoVirginia, the largest orthopedic practice in the state, was snared by the Ryuk ransomware in 2021, according to Teri Ripley, Chief Information Officer.
Ripley said this earlier this month from the HIMSS Cybersecurity Forum in Boston Healthcare IT news about the attack and recovery. An employee was infected at home with a phishing email to his personal email address and then infected the provider’s network when he connected to the virtual private network.
The attackers wanted millions, she said.
OrthoVirginia didn’t pay, but it took 18 months — “mainly to reload the PACS images from radiology” — to fully restore their data, she said.
The doctor’s practice was able to quickly take down network systems after the attack started and keep some data clean and unencrypted, but they did not have a reliable backup, she noted.
ON THE RECORD
“This vulnerability has reportedly allowed the state-sponsored group Lazarus to target Internet backbone infrastructure and healthcare facilities in Europe and the United States,” HC3 said in the alert.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.