Security News > 2023 > February > North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign

North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign
2023-02-02 09:45

A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.

Targets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain.

"The threat actor gained access to the network by exploiting a vulnerable Zimbra mail server at the end of August," WithSecure said in a detailed technical report shared with The Hacker News.

Subsequently, in October 2022, the adversary is said to have carried out lateral movement, reconnaissance, and ultimately deployed backdoors such as Dtrack and an updated version of GREASE. GREASE, which has been attributed as the handiwork of another North Korea-affiliated threat cluster called Kimsuky, comes with capabilities to create new administrator accounts with remote desktop protocol privileges while also skirting firewall rules.

"At the beginning of November, Cobalt Strike beacons were detected from an internal server to two threat actor IP addresses," researchers Sami Ruohonen and Stephen Robinson pointed out, adding the data exfiltration occurred from November 5, 2022, through November 11, 2022.

North Korea-backed hacking groups have had a busy 2022, conducting both espionage-driven and cryptocurrency heists that align with the regime's strategic priorities.

News URL

Related vendor

Zimbra 7 2 47 7 4 60