H-ISAC TLP White Finished Intelligence Report: HC3 Joint Sector Alert

On September 18, 2023, the Health Sector Cybersecurity Coordination Center (HC3) released a sector alert regarding the Lazarus group exploiting a ManageEngine vulnerability.

Cisco Talos published an open-source report regarding the North Korean state-sponsored actor, the Lazarus Group, reported to be targeting internet backbone infrastructure and healthcare entities in Europe and the United States.

The attackers have been exploiting a vulnerability in ManageEngine products, which is tracked as CVE-2022-47966. This vulnerability was added to the CISA Known Exploited Vulnerabilities Catalog in January 2023. Through this exploit, the attackers are deploying the remote access trojan (RAT) known as QuiteRAT.

Security researchers previously identified this malware in February 2023, and it is reportedly the successor to the group's previously used malware MagicRAT, which contains many of the same capabilities. Further analysis of this campaign has also shown that the group is using a new malware tool called CollectionRAT, which appears to operate like most RATs by allowing the attacker to run arbitrary commands, among other capabilities.

Both CISA and the FBI have previously warned that these types of vulnerabilities are common attack methods for malicious actors and can pose a significant risk to healthcare and public health organizations. HC3 strongly encourages organizations to update these systems.

For additional details, please see the attached report.