North Korean Hackers Exploit Unpatched Zimbra Devices in ‘No Pineapple’ Campaign

A
new
intelligence
gathering
campaign
linked
to
the
prolific
North
Korean
state-sponsored
Lazarus
Group
leveraged
known
security
flaws
in
unpatched
Zimbra
devices
to
compromise
victim
systems.

That’s
according
to
Finnish
cybersecurity
company
WithSecure
(formerly
F-Secure),
which
codenamed
the
incident

No
Pineapple.

Targets
of
the
malicious
operation
included
a
healthcare
research
organization
in
India,
the
chemical
engineering
department
of
a
leading
research
university,
as
well
as
a
manufacturer
of
technology
used
in
the
energy,
research,
defense,
and
healthcare
sectors,
suggesting
an
attempt
to
breach
the
supply
chain.

Roughly
100GB
of
data
is
estimated
to
have
been
exported
by
the
hacking
crew
following
the
compromise
of
an
unnamed
customer,
with
the
digital
break-in
likely
taking
place
in
the
third
quarter
of
2022.

“The
threat
actor
gained
access
to
the
network
by
exploiting
a
vulnerable
Zimbra
mail
server
at
the
end
of
August,”
WithSecure
said
in
a

detailed
technical
report
shared
with
The
Hacker
News.

The
security
flaws
used
for
initial
access
are

CVE-2022-27925
and
CVE-2022-37042,
both
of
which
could
be
abused
to
gain
remote
code
execution
on
the
underlying
server.

This
step
was
succeeded
by
the
installation
of
web
shells
and
the
exploitation
of
local
privilege
escalation
vulnerability
in
the
Zimbra
server
(i.e.,

Pwnkit
aka
CVE-2021-4034),
thereby
enabling
the
threat
actor
to
harvest
sensitive
mailbox
data.

Subsequently,
in
October
2022,
the
adversary
is
said
to
have
carried
out
lateral
movement,
reconnaissance,
and
ultimately
deployed
backdoors
such
as
Dtrack
and
an
updated
version
of
GREASE.

GREASE,
which
has
been
attributed
as
the
handiwork
of
another
North
Korea-affiliated
threat
cluster
called

Kimsuky,
comes
with

capabilities
to
create
new
administrator
accounts
with
remote
desktop
protocol
(RDP)
privileges
while
also
skirting
firewall
rules.

Dtrack,
on
the
other
hand,
has
been
employed
in

cyber
assaults
aimed
at
a
variety
of
industry
verticals,
and
also
in
financially
motivated
attacks
involving
the
use
of

Maui
ransomware.

“At
the
beginning
of
November,
Cobalt
Strike
[command-and-control]
beacons
were
detected
from
an
internal
server
to
two
threat
actor
IP
addresses,”
researchers
Sami
Ruohonen
and
Stephen
Robinson
pointed
out,
adding
the
data
exfiltration
occurred
from
November
5,
2022,
through
November
11,
2022.

Also
used
in
the
intrusion
were
tools
like
Plink
and
3Proxy
to
create
a
proxy
on
the
victim
system,
echoing

previous
findings
from
Cisco
Talos
about
Lazarus
Group’s
attacks
targeting
energy
providers.

North
Korea-backed
hacking
groups
have
had
a
busy
2022,
conducting
both
espionage-driven
and

cryptocurrency
heists
that
align
with
the
regime’s
strategic
priorities.

Most
recently,
the
BlueNoroff
cluster,
also
known
by
the
names
APT38,
Copernicium,
Stardust
Chollima,
and
Copernicium,
and
Stardust
Chollima,
and
TA444,
was

connected
to
wide-ranging
credential
harvesting
attacks
aimed
at
education,
financial,
government,
and
healthcare
sectors.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts