The North Korean Lazarus APT group has been associated with a new intelligence-gathering campaign named ‘No Pineapple.’ It abused known security flaws in unpatched Zimbra devices to infect systems to target public and private sector research organizations in healthcare and energy sectors.
An intelligence-gathering campaign
Security firm WithSecure has dubbed the campaign No Pineapple in reference to an error message used in one of the backdoors. The attack is said to be ongoing since Q3 2022.
The targets were healthcare research organizations in India, a chemical engineering department of a research university, a manufacturer of technology used in the energy, research, defense, and healthcare sectors; and an unnamed customer.
Further, around 100GB of data is believed to be exported by the hacking group along with the compromise of an unnamed customer. The digital break-in took place in the Q3 of 2022.
Explotation of Zimbra servers
In one of the attacks, Lazarus gained access to a flawed Zimbra mail server by abusing RCE flaws tracked as CVE-2022-27925 and CVE-2022-37042.
Further, a local privilege escalation flaw was abused in the Zimbra server (CVE-2021-4034) and web shells were installed, allowing the threat group to harvest sensitive mailbox data.
Tools and Tactics
After initial infection via Zibra servers, the threat actors deployed several malicious threats, including BindShell, 3proxy, Grease, Acres, DTrack, App.relch, Webshell.G, and Webshell.B, over a period of several months.
The threat group used off-the-shelf web shells and custom binaries and abused genuine Windows/Unix tools. The tools were installed for proxying, tunneling, and relaying connections.
Additionally, the C2 behavior indicates that attackers had used a small number of C2 servers connected through numerous relays and endpoints.
Conclusion
Lazarus group is known for regularly updating its attack arsenal with new tools and tactics; this time it includes the exploitation of Zimbra servers. For protection against such threats, the first line of defense is definitely to have a robust patch management system in place. Moreover, having a collaborative threat intelligence exchange solution can help in getting the IOCs of the attack real-time, thus keeping updated with the latest threats across the industry.