Home / Advisory / Zimbra Likely Victim Again: ‘No Pineapple’ Hacking Campaign by the Lazarus Group exploiting unpatched CVEs

Zimbra Likely Victim Again: ‘No Pineapple’ Hacking Campaign by the Lazarus Group exploiting unpatched CVEs

Posted on
Cyber Secure India

Two CVEs (Common Vulnerabilities and Exposures) namely CVE-2022-27925 and CVE-2022-37042, where earlier reported and was targeted towards the Zimbra Application; both of which could be abused to gain remote code execution on the underlying server. The present attack, is dubbed “No Pineapple”, providing for an error message in a backdoor that appends <No Pineapple!> if data exceeds segmented byte size. This new attack vector on Zimbra Servers is used to gain access and then subsequently make way for the execution and deployment of a web shell scripts. Further, the action also entails the use of a Cobalt Strike beacons as a means of persistence mechanisms.

On performing of a detailed study, it has been revealed the pattern of campaign provide indicators point to North Korea and possibly to the government hacking unit Mandiant identifies as Bureau 325. This attack vector especially in these specific cases, starts with Lazarus exploiting known vulnerabilities on Zimbra servers. Having gained access to a targeted server, the team then manages the rest of the operations on individual bases, based on the value of the target.

Researchers from the Finnish company ”WithSecure” is said to have also reported that it had detected a campaign targeting the medical research and energy sectors that came to its attention after endpoint detection scans showed a Cobalt Strike beacon on a customer’s servers connecting to known threat actor IP addresses.

The campaign also involves the hacker using the feature of ‘remote access Trojan’ called acres.exe. The tool truncates data exfiltration messages greater than 1,024 bytes with the message “No Pineapple!”. Further the acres malware is used to exfiltrate data – the malware is also similar to a remote access Trojan dubbed MagicRAT by researchers which was earlier noticed at Cisco Talos in a similar scenario. There are other evidence for “WithSecure” to conclude that North Koreas are behind the present cyberespionage campaign; like the use of 3Proxy, Plink and Stunnel by the hackers to establish persistence, in the aftermath.

“WithSecure” also found  a set format of passwords that is generally used by the North Korean threat actors. They all had a similar format, “most likely made by making a pattern on a U.S. layout keyboard.” Examples include “1qaz123!@#” and “1qaz@@@#A@/add”.

As on date the hackers in this specific campaign have been able to harvest over 100 gigabytes of data.

%d bloggers like this: