The North Korean group Lazarus Group used the well -known vulnerabilities in the Zimbra postal server to obtain important intelligence.
WithSecure named this incident “No PineApple” with reference to an error message that is used in one of the bacdors of attackers.
The hacker team managed to export about 100 GB of data after compromising an unnamed client. And the hacking itself occurred in the third quarter of 2022.
“The attacker gained access to the network using the vulnerable Zimbra postal server at the end of August,” reports with detailed report .
For initial access, the vulnerabilities of the security of the CVE-2022-27925 and CVE-2022-37042 were used, which allow remotely executing the code on the basic server.
This step was followed by the installation of a web stick and the use of the vulnerability of the local increase in privileges on the Zimbra server (“Pwnkit” or CVE-2021-4034). This allowed the attacker to collect confidential data from the postal service.
Subsequently, in October 2022, the hackers carried out the so -called “lateral movement” and, ultimately, introduced the bacdors Dtrack and Grease.
The creation of Grease is assigned to another group, also related to North Korea, Kimsuky. This backdor provides opportunities for creating new administrator accounts with remote access capabilities, as well as bypassing the rules of the firewall.
DTRACK BECDOR was previously used in cyber attacks aimed at various industry verticals, as well as in financial attacks using MAUI boards.
WithSecure gave this attack the name “No PineApple” (“No Pineapple”) just in honor of the error when working BECDOR DTRACK, which appears when unloading data on the C2 server if the data exceeds the size of the segmented byte.
Error message in Backdor dtrack
This attack also used PLINK and 3PROXY tools to create a proxy server in the victim system, which confirms previous conclusions Cisco Talos about the attacks of Lazarus Group, aimed at energy suppliers.
The hacker groups supported by North Korea spent a saturatedly last year. They were involved in many espionage attacks and cryptocurrency thefts that correspond to the strategic priorities of the DPRK regime.