A new intelligence gathering campaign associated with the prolific North Korean government-sponsored Lazarus Group exploited known security flaws in unpatched Zimbra devices to compromise victims’ systems.
This is according to the Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident: no pineapple See the error message used by one of the backdoors.
Targets of the malicious manipulation include Indian healthcare research organizations, chemical engineering departments of major research universities, and manufacturers of technology used in the energy, research, defense, and healthcare sectors, who are threatening to supply It suggests an attempt to infringe. chain.
Around 100 GB of data is estimated to have been exported by hacking crews following the compromise of an unnamed customer, and a digital breach could occur in the third quarter of 2022.
“A threat actor exploited a vulnerable Zimbra mail server at the end of August to gain access to our network,” said WithSecure. Detailed technical report Share with Hacker News.
The security flaws used for initial access are: CVE-2022-27925 and CVE-2022-37042Both can be exploited to gain remote code execution on the underlying server.
This step consists of installing a web shell and exploiting a local privilege escalation vulnerability in Zimbra server (i.e. Punkit (aka CVE-2021-4034) allows attackers to gather sensitive mailbox data.
Later, in October 2022, the attackers allegedly performed lateral movement and reconnaissance, eventually deploying backdoors such as Dtrack and updated versions of GREASE.
greaseIt is believed to be the handiwork of another North Korea-related threat cluster called Kimskiincluded function Create a new administrator account with Remote Desktop Protocol (RDP) privileges while bypassing firewall rules.
Dtrack, on the other hand, cyber attack It is aimed at various industries, and maui ransomware.
“Early November, Cobalt Strike [command-and-control] We detected beacons from our internal servers to the IP addresses of two threat actors,” noted researchers Sami Ruohonen and Stephen Robinson, and the data from November 5, 2022 to November 11, 2022. I added that there was a spill.
Tools such as Plink and 3Proxy were also used in the intrusion to create a proxy on the victim’s system and generate the echo. Previous findings Cisco Talos article on Lazarus Group attacks targeting energy providers.
Hacking group backed by North Korea 2022 will be a busy year, with a series of espionage and cryptocurrency robbery It is consistent with the administration’s strategic priorities.
More recently, the BlueNoroff cluster, also known as APT38, Copernicium, Stardust Chollima, and TA444, Connected Widespread credential harvesting attacks targeting education, finance, government, and healthcare sectors.