HC3: Lazaraus Group malware targets health systems’ ManageEngine vulnerabilities

Trending 2 months ago

Sed ut perspiciatis unde.


The Lazaraus Group, which Cisco Talus reported to beryllium targeting net backbone infrastructure and healthcare entities successful Europe and nan United States, evolved its MagicRAT malware and deployed nan trojan wrong 5 days of nan find of nan vulnerability successful ManageEngine products successful January, nan Health Sector Cybersecurity Coordination Center said.


The Lazzarus Group tin utilization nan CVE-2022-47966 vulnerability – if nan SAML single-sign-on is aliases ever has been enabled successful nan ManageEngine setup – and execute distant codification execution, HC3 said Monday successful its alert.

Through nan exploit, nan attackers are deploying nan distant entree trojan known arsenic QuiteRAT which information researchers identified successful February 2023 arsenic a successor to nan group’s antecedently utilized malware, MagicRAT, “which contains galore of nan aforesaid capabilities.”

QuiteRAT has a 4MB record size. It “lacks nan expertise to execute persistence capabilities connected its own, and nan hackers must execute this task separately,” HC3 said.

HC3 besides said nan group is now utilizing a caller malware instrumentality called CollectionRAT, “which appears to run for illustration astir RATs by allowing nan attacker to tally arbitrary commands among different capabilities.” This malware is believed to beryllium portion of nan Jupiter/EarlyRAT malware family antecedently linked to linked to a Lazarus subgroup, Andariel.

Of note, instrumentality learning and heuristic study are little reliable because some RATS are built connected nan little commonly utilized Qt framework, nan statement said.

ManageEngine released patches for all affected products in October 2022, according to nan indicators of discuss accusation HC3 linked to.


OrthoVirginia, the largest orthopedic believe successful nan state, was snared by Ryuk ransomware successful 2021, according Teri Ripley, main accusation officer.

Ripley, speaking from nan HIMSS Cybersecurity Forum successful Boston earlier this period told Healthcare IT News about nan onslaught and recovery. An employee was infected pinch a phishing email astatine location connected their individual email, and past infected nan provider’s web erstwhile they connected to its virtual backstage network.

The attackers wanted millions, she said. 

OrthoVirginia didn’t pay, but needed 18 months – “Especially for nan radiology PACS images to get loaded backmost in” – to fully recover their data, she said. 

The physician-owned believe was capable to unopen down web systems quickly aft nan onslaught was initiated and support immoderate information cleanable and unencrypted, but they didn’t person a reliable back-up, she noted.


“Through this vulnerability, nan authorities sponsored group Lazarus has reportedly been targeting net backbone infrastructure and healthcare entities successful Europe and nan United States,” HC3 said successful nan alert.

Andrea Fox is elder editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is simply a HIMSS Media publication.