HQ/EMEAFind out how we can help your business
The North Korean-sponsored Lazarus APT group has exploited several known security vulnerabilities in unpatched Zimbra devices to breach systems. These attacks have led to the infection of public and private sector research organisations in energy and healthcare entities.
Recently, this advanced persistent threat group from the DPRK is allegedly related to a new intelligence-gathering operation called No Pineapple. The campaign name references an error message utilised by the actors in one of their backdoors.
As of now, the Korean hackers target various organisations from India, such as healthcare, the chemical engineering department of a university, defence, tech manufacturers, and energy. Some researchers claimed that the actors have already exported about 100GB of data and compromised undisclosed customer information.
The recent cybersecurity breach occurred in the 3rd quarter of last year.
Multiple RCE vulnerabilities within the unpatched Zimbra devices became the initial access for the threat actors.
According to an investigation, the Lazarus APT acquired access to vulnerable Zimbra devices through its mail server by exploiting two RCE flaws (CVE-2022-27925 and CVE-2022-37042).
The attackers abused a flaw in one of the Zimbra servers that allowed them to install web shells and gather sensitive mailbox information.
These adversaries could deploy numerous malicious threats after initial infection, like App.relch, Webshell.G, Grease, Acres, BindShell, 3proxy, DTrack, and WebShell.B. Subsequently, the APT group utilise off-the-shelf web shells and specially-crafted binaries and exploited genuine Windows/Unix kits. These tools are for tunnelling, proxying and relaying connections.
Finally, the attack’s command-and-control (C2) behaviour shows that the North Korean threat group had used several C2 servers linked through multiple relays and endpoints.
The Lazarus APT group is notorious for constantly improving its weapons and attack strategies with new tools and ideas. Currently, the group includes the Zimbra servers to effectively target users with outdated versions.
Cybersecurity experts stated that organisations should have a robust patch management system protocol for better protection against such threats. Lastly, intelligence exchange could have a massive impact on these threats since a collaborative plan from different security teams could come up with IOCs.
