North Korean Hackers Exploit Unpatched Zimbra Devices in ‘No Pineapple’ Campaign

0
252
North Korean Hackers Exploit Unpatched Zimbra Devices in ‘No Pineapple’ Campaign


Feb 02, 2023Ravie LakshmananHealthcare / Cyber Attack

North Korean Hackers Exploit Unpatched Zimbra Devices in ‘No Pineapple’ Campaign

A brand new intelligence gathering marketing campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged recognized safety flaws in unpatched Zimbra gadgets to compromise sufferer methods.

That’s in keeping with Finnish cybersecurity firm WithSecure (previously F-Secure), which codenamed the incident No Pineapple in reference to an error message that is utilized in one of many backdoors.

Targets of the malicious operation included a healthcare analysis group in India, the chemical engineering division of a number one analysis college, in addition to a producer of expertise used within the vitality, analysis, protection, and healthcare sectors, suggesting an try to breach the availability chain.

Roughly 100GB of information is estimated to have been exported by the hacking crew following the compromise of an unnamed buyer, with the digital break-in probably happening within the third quarter of 2022.

“The risk actor gained entry to the community by exploiting a susceptible Zimbra mail server on the finish of August,” WithSecure mentioned in a detailed technical report shared with The Hacker News.

The safety flaws used for preliminary entry are CVE-2022-27925 and CVE-2022-37042, each of which could possibly be abused to achieve distant code execution on the underlying server.

This step was succeeded by the set up of net shells and the exploitation of native privilege escalation vulnerability within the Zimbra server (i.e., Pwnkit aka CVE-2021-4034), thereby enabling the risk actor to reap delicate mailbox information.

Subsequently, in October 2022, the adversary is alleged to have carried out lateral motion, reconnaissance, and finally deployed backdoors equivalent to Dtrack and an up to date model of GREASE.

GREASE, which has been attributed because the handiwork of one other North Korea-affiliated risk cluster known as Kimsuky, comes with capabilities to create new administrator accounts with distant desktop protocol (RDP) privileges whereas additionally skirting firewall guidelines.

Dtrack, however, has been employed in cyber assaults aimed toward quite a lot of business verticals, and in addition in financially motivated assaults involving the usage of Maui ransomware.

“At the start of November, Cobalt Strike [command-and-control] beacons have been detected from an inner server to 2 risk actor IP addresses,” researchers Sami Ruohonen and Stephen Robinson identified, including the info exfiltration occurred from November 5, 2022, by way of November 11, 2022.

Also used within the intrusion have been instruments like Plink and 3Proxy to create a proxy on the sufferer system, echoing earlier findings from Cisco Talos about Lazarus Group’s assaults concentrating on vitality suppliers.

Besides relying solely on an IP address-based infrastructure with none domains, a vital hyperlink exposing the marketing campaign’s hyperlinks to North Korea stems from a connection originating from an IP deal with positioned within the nation (175.45.176[.]27) to the affected person zero server.

North Korea-backed hacking teams have had a busy 2022, conducting a sequence of each espionage-driven assaults and cryptocurrency heists that align with the regime’s strategic priorities.

Most not too long ago, the BlueNoroff cluster, additionally recognized by the names APT38, Copernicium, Stardust Chollima, and TA444, was linked to wide-ranging credential harvesting assaults aimed toward schooling, monetary, authorities, and healthcare sectors.

“North Korea-linked hackers equivalent to these in cybercriminal syndicate Lazarus Group have been by far essentially the most prolific cryptocurrency hackers over the previous few years,” blockchain analytics agency Chainalysis mentioned, calling 2022 the “greatest 12 months ever for crypto hacking.”

In 2022 alone, the risk actors have been accused of being accountable for $1.65 billion price of cryptocurrency theft, out of which $1.1 billion originated from hacks of DeFi protocols. A complete of $3.8 billion was stolen from crypto companies in the course of the 12 months, up from $3.3 billion in 2021.

Found this text fascinating? Follow us on Twitter and LinkedIn to learn extra unique content material we submit.

LEAVE A REPLY

Please enter your comment!
Please enter your name here