A new intelligence gathering campaign associated with the prolific North Korean government-sponsored Lazarus Group exploited known security flaws in unpatched Zimbra devices to compromise victims’ systems.
This is according to the Finnish cybersecurity company WithSecure (formerly F-Secure), codenamed for the incident: no pineapple See the error message used by one of the backdoors.
Targets of the malicious manipulation include Indian healthcare research organizations, chemical engineering departments of major research universities, and manufacturers of technology used in the energy, research, defense, and healthcare sectors, who are threatening to supply It suggests an attempt to infringe. chain.
Around 100 GB of data is estimated to have been exported by hacking crews following the compromise of an unnamed customer, and a digital breach could occur in the third quarter of 2022.
In a detailed technical report published in The Hacker News, WithSecure said, “Attackers exploited a vulnerable Zimbra mail server to gain access to our network at the end of August.
The security flaws used for initial access are CVE-2022-27925 and CVE-2022-37042, both of which can be exploited to allow remote code execution on the underlying server.
This step was successful by installing a web shell and exploiting the Zimbra Server Local Privilege Escalation Vulnerability (i.e. Pwnkit aka CVE-2021-4034), which allows the attacker to collect sensitive mailbox data. became.
Later, in October 2022, the attackers allegedly performed lateral movement and reconnaissance, eventually deploying backdoors such as Dtrack and updated versions of GREASE.
Believed to be the work of another North Korea-related threat cluster called Kimsuky, GREASE has the ability to create new administrator accounts with Remote Desktop Protocol (RDP) privileges while bypassing firewall rules. .
Dtrack, on the other hand, has been used in cyberattacks targeting various verticals and financially motivated attacks involving the use of the Maui ransomware.
“Early November, Cobalt Strike [command-and-control] We detected beacons from our internal servers to the IP addresses of two threat actors,” noted researchers Sami Ruohonen and Stephen Robinson, and the data from November 5, 2022 to November 11, 2022. I added that there was a spill.
Tools such as Plink and 3Proxy were also used in the intrusion to create a proxy on the victim’s system. This mirrors Cisco Talos’ previous research into Lazarus Group’s attacks targeting energy providers.
The North Korean-backed hacking group has spent 2022 busy, carrying out both a series of espionage operations and cryptocurrency heists that align with the regime’s strategic priorities.
Most recently, the BlueNoroff cluster, also known as APT38, Copernicium, Stardust Chollima, and TA444, was involved in widespread credential harvesting attacks targeting the education, financial, government, and healthcare sectors.
