North Korean hackers exploit Zimbra mail server vulnerability in their 'No Pineapple' malware campaign

1 month ago · 0 comments

And what's with the pineapple?

The North Korean Lazarus Group exploited known vulnerabilities in the Zimbra mail server to obtain critical intelligence.

WithSecure called the incident "No Pineapple" referring to an error message used in one of the attackers' backdoors.

The hacking team managed to export about 100 GB of data after compromising an unnamed client. And the hack itself took place in the third quarter of 2022.

“An attacker gained access to the network using a vulnerable Zimbra mail server at the end of August,” WithSecure says in its detailed report.

Initial access used security vulnerabilities CVE-2022-27925 and CVE-2022-37042 to allow remote code execution on the underlying server.

This step was followed by installing web shells and exploiting a local privilege escalation vulnerability on the Zimbra server ("Pwnkit" or CVE-2021-4034). This allowed the attacker to collect sensitive data from the mail service.

Subsequently, in October 2022, the hackers carried out the so-called "lateral move" and eventually introduced the Dtrack and GREASE backdoors.

The creation of GREASE is attributed to another group, also associated with North Korea, the Kimsuky. This backdoor provides the ability to create new administrator accounts with remote access capabilities, as well as bypass firewall rules.

The Dtrack backdoor has previously been used in cyberattacks targeting various industry verticals, as well as financial attacks using Maui ransomware.

WithSecure gave this attack the name “No Pineapple” (“No Pineapple”), just in honor of the error in the operation of the Dtrack backdoor, which occurs when uploading data to a C2 server if the data exceeds the size of a segmented byte.

The attack also used the Plink and 3Proxy tools to create a proxy server on the victim's system, confirming Cisco Talos' previous findings about Lazarus Group attacks targeting energy providers.

North Korean-backed hacker groups have had a busy year. They have been implicated in a variety of spy attacks and cryptocurrency thefts that are in line with the strategic priorities of the DPRK regime.