Healthcare industry targeted by exploiting ManageEngine vulnerabilities
Take action: If you have delayed patching your Zoho ManageEngine products, it's high time to panic. And start patching. And check if you have already been hacked, because it's quite probable that you have.
U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center have issued a warning highlighting a "significant risk" of potential cyber attacks on healthcare and public health sector entities by the North Korean-state sponsored Lazarus Group. This group is exploiting a critical vulnerability present in 24 ManageEngine IT management tools from Zoho, tracked as CVE-2022-47966.
CVE-2022-47966 has been exploited in the past to deploy coin miners, web shells, and ransomware in target environments.
The vulnerability is exploitable when the SAML single sign-on is enabled or has ever been enabled in the ManageEngine setup.
Attackers are utilizing this vulnerability to deploy the remote access Trojan QuiteRAT, as mentioned by HHS HC3. Additionally, a new malware tool termed CollectionRAT has been identified, showing RAT-like capabilities allowing the attacker to execute arbitrary commands and more.
Zoho ManageEngine has confirmed fixing the issue by updating a third-party module to the latest version. HHS HC3 strongly recommends healthcare and public health sector organizations to promptly update the affected software to the most recent version.
The HHS HC3 alert follows a bulletin issued jointly by CISA and the FBI on September 9, warning about nation-state-sponsored actors exploiting CVE-2022-47966 in ManageEngine.