Security News > 2023 > August > Hackers use public ManageEngine exploit to breach internet org
The North Korean state-backed hacker group tracked as Lazarus has been exploiting a critical vulnerability in Zoho's ManageEngine ServiceDesk to compromise an internet backbone infrastructure provider and healthcare organizations.
Cisco Talos researchers observed attacks against UK internet firms in early 2023, when Lazarus leveraged an exploit for CVE-2022-47966, a pre-authentication remote code execution flaw affecting multiple Zoho ManageEngine products.
"In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in the United Kingdom to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access," Cisco Talos.
After exploiting the vulnerability to breach a target, Lazarus hackers dropped the QuiteRAT malware from an external URL using a curl command.
In a separate report today, Cisco Talos said that Lazarus hackers have a new malware called CollectionRAT. The new threat was found after researchers examined infrastructure the actor used in other attacks.
Lazarus hackers linked to $60 million Alphapo cryptocurrency heist.
News URL
Related news
- Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms (source)
- Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks (source)
- Hackers targeting WhatsUp Gold with public exploit since August (source)
- Fortinet confirms data breach after hacker claims to steal 440GB of files (source)
- Temu denies breach after hacker claims theft of 87 million data records (source)
- Dell investigates data breach claims after hacker leaks employee info (source)
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware (source)
- Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign (source)
- Internet Archive hacked, data breach impacts 31 million users (source)
- Internet Archive data breach, defacement, and DDoS: Users’ data compromised (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-18 | CVE-2022-47966 | Unspecified vulnerability in Zohocorp products Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. | 9.8 |