A new cyber-espionage campaign linked to a well-known North Korea-affiliated threat actor called “Lazarus Group” has exploited several vulnerabilities in unpatched Zimbra servers to gain access to victim organizations and steal data.
The new operation codenamed “No Pineapple” by researchers with Finnish cybersecurity firm WithSecure (formerly F-Secure) targeted public and private sector research organizations, the medical research and energy sector, as well as their supply chain. Victims targeted in this campaign included the healthcare research vertical within India, as well as a manufacturer of technology used in energy, research, defense, and healthcare verticals, as well as the chemical engineering department of a major research university.
In an incident analyzed by WithSecure the attackers gained initial access to the victim organization by exploiting a pair of vulnerabilities (CVE-2022-27925, CVE-2022-37042) in a vulnerable Zimbra mail server at the end of last August. They then installed commodity webshells and tunnelling/relay software (Putty Plink and 3Proxy). After this the threat actor exploited a local privilege escalation bug (CVE-2021-4034) in the pkexec utility to gain root privileges.
A month later, in October 2022, the attackers performed lateral movement, reconnaissance, and ultimately deployed multiple custom tools and malware backdoors such as Dtrack and a new version of Grease.
“The overall toolkit of the threat actor is very similar to other reported instances of North Korean groups. The usage of Dtrack and Grease malware has been previously associated with Kimsuky, while Dtrack is also in the Lazarus arsenal,” the researchers note.
The threat actor then planted Cobalt Strike C2 beacons on the compromised internal server, and then stole nearly 100 GB of data from the victim network.
“North Korean threat actors have conducted financial, espionage and sabotage cyber-attacks for a long time, Lazarus group has been active throughout 2022 and attacked multiple high value targets from various private and public industry and research verticals,” WithSecure says. “DPRK Threat Actor targeting reflects the state’s priorities. As such South Korea is a particular focus, but targeting of other nations is commonplace, as well as financial crime (both theft and ransomware) to fund the state, and commercial/industrial espionage. These actors will also target defectors, journalists, human rights organizations, and other entities which may criticize or focus upon the DPRK.”