HC3: Lazaraus Group malware targets health systems' ManageEngine vulnerabilities

The North Korean state-sponsored actor known for Ryuk ransomware is deploying two new remote access trojans to target hospitals and health systems through a critical vulnerability affecting 24 products.
By Andrea Fox
11:32 AM

Photo by: Sora Shimazaki/Pexels

The Lazaraus Group, which Cisco Talus reported to be targeting internet backbone infrastructure and healthcare entities in Europe and the United States, evolved its MagicRAT malware and deployed the trojan within five days of the discovery of the vulnerability in ManageEngine products in January, the Health Sector Cybersecurity Coordination Center said.

WHY IT MATTERS

The Lazzarus Group can exploit the CVE-2022-47966 vulnerability – if the SAML single-sign-on is, or ever has been, enabled in the ManageEngine setup – and perform remote code execution, HC3 said Monday in its alert.

Through the exploit, the attackers are deploying the remote access trojan known as QuiteRAT which security researchers identified in February 2023 as a successor to the group’s previously used malware, MagicRAT, "which contains many of the same capabilities."

QuiteRAT has a 4MB file size. It "lacks the ability to perform persistence capabilities on its own, and the hackers must accomplish this task separately," HC3 said.

HC3 also said the group is now using a new malware tool called CollectionRAT, "which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities." This malware is believed to be part of the Jupiter/EarlyRAT malware family previously linked to linked to a Lazarus subgroup, Andariel.

Of note, machine learning and heuristic analysis are less reliable because both RATS are built on the less commonly used Qt framework, the organization said.

ManageEngine released patches for all affected products in October 2022, according to the indicators of compromise information HC3 linked to.

THE LARGER TREND

OrthoVirginia, the largest orthopedic practice in the state, was snared by Ryuk ransomware in 2021, according Teri Ripley, its chief information officer.

Ripley, speaking from the HIMSS Cybersecurity Forum in Boston earlier this month, told Healthcare IT News about the attack and the recovery. An employee was infected with a phishing email at home on their personal email, and then infected the provider's network when they connected to its virtual private network.

The attackers wanted millions, she said. 

OrthoVirginia didn't pay, but needed 18 months – "Especially for the radiology PACS images to get loaded back in" – to fully recover their data, she said. 

The physician-owned practice was able to shut down network systems quickly after the attack was initiated and keep some data clean and unencrypted, but they didn't have a reliable back-up, she noted.

ON THE RECORD

"Through this vulnerability, the state sponsored group Lazarus has reportedly been targeting internet backbone infrastructure and healthcare entities in Europe and the United States," HC3 said in the alert.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.