North Korean Hacker Group Targeted Medical & Energy Sector

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

The North Korean Lazarus hacking group has been identified as the culprit behind a recent cyber espionage operation known as “No Pineapple!”. This designation highlights the group’s malicious activities and its ability to carry out sophisticated cyberattacks.

In the “No Pineapple!” cyber espionage campaign the hacking group was able to extract 100GB of data from its target in a covert manner without causing any harm or damage. 

WithSecure, formerly known as F-Secure, named the cyber espionage campaign “No Pineapple!” due to an error message present in one of the backdoors used by the North Korean Lazarus hacking group. 

The Lazarus hacking group utilized known vulnerabilities in unpatched Zimbra devices to infiltrate and compromise the systems of their target as part of the “No Pineapple!” cyber espionage campaign.

Targeted Organizations by Lazarus Group

The “No Pineapple!” cyber espionage campaign orchestrated by the Lazarus hacking group ran from August to November of 2022 and targeted organizations in specific industries. 

During this time period, these threat actors aimed their efforts at the following sectors:-

  • Medical research
  • Healthcare
  • Chemical engineering
  • Energy
  • Defense
  • A leading research university

At the end of August, the Lazarus hacking group was able to penetrate the network by exploiting a weakness in a Zimbra mail server. WithSecure was able to attribute the “No Pineapple!” cyber espionage campaign to the Lazarus hacking group through various pieces of evidence, while also observing some new developments in the group’s tactics and methods. These included:-

IP addresses without domain names are used in the new infrastructure.

Dtrack info-stealer malware has been updated with a new version.

The GREASE malware has been updated to include a new feature that allows the creation of admin accounts and bypass protection.

Flaws Exploited by Hacker Group

On August 22nd, 2022, the Lazarus hacking group successfully hacked into the victim’s network by exploiting two vulnerabilities in the Zimbra mail server, and here they are mentioned below:-

  • CVE-2022-27925 (Remote Code Execution)
  • CVE-2022-37042 (Authentication Bypass)

The CVE-2022-27925 vulnerability, which allowed for remote code execution, was addressed with a patch in May of 2022. However, the authentication bypass vulnerability (CVE-2022-37042) was not fixed until Zimbra released a security update on August 12th, 2022.

A number of threat actors had already exploited it by that time. Following the successful compromise of the network, the Lazarus hacking group utilized the following tunneling tools to create reverse tunnels that connected back to their own infrastructure:-

  • Plink
  • 3Proxy

This allowed the threat actors to bypass the firewall and maintain persistent access to the victim’s network. Approximately one week following the intrusion, WithSecure reported that the attackers began extracting around 5 gigabytes of email messages from the server using altered scripts. 

While the messages were stored in a CSV file which was saved locally and then uploaded to the server that is under the control of the threat actors.

The intrusion reached its climax on November 5th, 2022, after the attackers had been present in the network for more than two months. The outcome of the attack was the theft of 100GB of data from the victim organization.

Errors Made Exposure

Mistakes, even for the most advanced and skilled cybercriminal organizations like Lazarus, are not uncommon. In this particular instance, a misstep resulted in the ability to attribute the hacking campaign to the group.

An investigation conducted by WithSecure on the network logs obtained from the impacted system uncovered that one of the web shells implanted by the attackers was communicating with a North Korean IP address, specifically “175.45.176[.]27”.

The incident under discussion happened at the dawn of the day and was preceded by connections from a proxy address. This is an indication that the threat actor may have accidentally revealed themselves at the beginning of their workday due to an error on their part.

Network Security Checklist – Download Free E-Book