2 February 2023

North Korean Lazarus Group targets medical research and tech orgs via unpatched Zimbra servers


North Korean Lazarus Group targets medical research and tech orgs via unpatched Zimbra servers

A new cyber-espionage campaign linked to a well-known North Korea-affiliated threat actor called “Lazarus Group” has exploited several vulnerabilities in unpatched Zimbra servers to gain access to victim organizations and steal data.

The new operation codenamed “No Pineapple” by researchers with Finnish cybersecurity firm WithSecure (formerly F-Secure) targeted public and private sector research organizations, the medical research and energy sector, as well as their supply chain. Victims targeted in this campaign included the healthcare research vertical within India, as well as a manufacturer of technology used in energy, research, defense, and healthcare verticals, as well as the chemical engineering department of a major research university.

In an incident analyzed by WithSecure the attackers gained initial access to the victim organization by exploiting a pair of vulnerabilities (CVE-2022-27925, CVE-2022-37042) in a vulnerable Zimbra mail server at the end of last August. They then installed commodity webshells and tunnelling/relay software (Putty Plink and 3Proxy). After this the threat actor exploited a local privilege escalation bug (CVE-2021-4034) in the pkexec utility to gain root privileges.

A month later, in October 2022, the attackers performed lateral movement, reconnaissance, and ultimately deployed multiple custom tools and malware backdoors such as Dtrack and a new version of Grease.

“The overall toolkit of the threat actor is very similar to other reported instances of North Korean groups. The usage of Dtrack and Grease malware has been previously associated with Kimsuky, while Dtrack is also in the Lazarus arsenal,” the researchers note.

The threat actor then planted Cobalt Strike C2 beacons on the compromised internal server, and then stole nearly 100 GB of data from the victim network.

“North Korean threat actors have conducted financial, espionage and sabotage cyber-attacks for a long time, Lazarus group has been active throughout 2022 and attacked multiple high value targets from various private and public industry and research verticals,” WithSecure says. “DPRK Threat Actor targeting reflects the state’s priorities. As such South Korea is a particular focus, but targeting of other nations is commonplace, as well as financial crime (both theft and ransomware) to fund the state, and commercial/industrial espionage. These actors will also target defectors, journalists, human rights organizations, and other entities which may criticize or focus upon the DPRK.”

Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024