Security News > 2023 > February > North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign
A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.
Targets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain.
"The threat actor gained access to the network by exploiting a vulnerable Zimbra mail server at the end of August," WithSecure said in a detailed technical report shared with The Hacker News.
Subsequently, in October 2022, the adversary is said to have carried out lateral movement, reconnaissance, and ultimately deployed backdoors such as Dtrack and an updated version of GREASE. GREASE, which has been attributed as the handiwork of another North Korea-affiliated threat cluster called Kimsuky, comes with capabilities to create new administrator accounts with remote desktop protocol privileges while also skirting firewall rules.
"At the beginning of November, Cobalt Strike beacons were detected from an internal server to two threat actor IP addresses," researchers Sami Ruohonen and Stephen Robinson pointed out, adding the data exfiltration occurred from November 5, 2022, through November 11, 2022.
North Korea-backed hacking groups have had a busy 2022, conducting both espionage-driven and cryptocurrency heists that align with the regime's strategic priorities.
News URL
https://thehackernews.com/2023/02/north-korean-hackers-exploit-unpatched.html
Related news
- North Korean Hackers Targeting Developers with Malicious npm Packages (source)
- Hackers exploit 14-year-old CMS editor on govt, edu sites for SEO poisoning (source)
- Japan warns of malicious PyPi packages created by North Korean hackers (source)
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Aiohttp bug to find vulnerable networks (source)
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)