A North Korean State-Backed Hacking Group Leveraged Zoho's ManageEngine ServiceDesk for Compromrise

Cyber Security Threat Summary:
The North Korean state-backed hacker group Lazarus has been exploiting a critical vulnerability (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk software to compromise an internet backbone infrastructure provider and healthcare organizations. This campaign began in early 2023, targeting entities in the U.S. and U.K. The attackers employed the QuiteRAT malware and a newly identified remote access trojan (RAT) named CollectionRAT. The latter was discovered through the analysis of the group's infrastructure. Security Officer Comments:
The Lazarus Group, supported by North Korea, poses a serious threat to Managed Service Providers (MSPs). By exploiting vulnerabilities like those in Zoho's ManageEngine ServiceDesk, they could breach multiple client networks, intensifying the impact of their attacks. This emphasizes the risk of supply chain attacks, where MSPs serve as a way to compromise various industries and entities. Suggested Correction(s):
To counter this threat, MSPs must institute robust security measures, including continuous monitoring, robust authentication, and isolating client network segments. The group's focus on software vulnerabilities highlights the need to assess and secure third-party tools within MSP operations. Collaborating with industry peers for sharing threat intelligence and crafting tailored incident response plans for various client environments can bolster defenses against Lazarus Group's tactics. Details: CVE-2022-47966
9.8 Critical, Published by Zoho on: 01/18/2023

  • Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
  • https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html