Skip to content

North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign

Vulnerability
  • A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.

    That’s according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple.

    Targets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain.

    Roughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022.

    “The threat actor gained access to the network by exploiting a vulnerable Zimbra mail server at the end of August,” WithSecure said in a detailed technical report shared with The Hacker News.

    The security flaws used for initial access are CVE-2022-27925 and CVE-2022-37042, both of which could be abused to gain remote code execution on the underlying server.

    This step was succeeded by the installation of web shells and the exploitation of local privilege escalation vulnerability in the Zimbra server (i.e., Pwnkit aka CVE-2021-4034), thereby enabling the threat actor to harvest sensitive mailbox data.

    Subsequently, in October 2022, the adversary is said to have carried out lateral movement, reconnaissance, and ultimately deployed backdoors such as Dtrack and an updated version of GREASE.

    GREASE, which has been attributed as the handiwork of another North Korea-affiliated threat cluster called Kimsuky, comes with capabilities to create new administrator accounts with remote desktop protocol (RDP) privileges while also skirting firewall rules.

    Dtrack, on the other hand, has been employed in cyber assaults aimed at a variety of industry verticals, and also in financially motivated attacks involving the use of Maui ransomware.

    “At the beginning of November, Cobalt Strike [command-and-control] beacons were detected from an internal server to two threat actor IP addresses,” researchers Sami Ruohonen and Stephen Robinson pointed out, adding the data exfiltration occurred from November 5, 2022, through November 11, 2022.

    Also used in the intrusion were tools like Plink and 3Proxy to create a proxy on the victim system, echoing previous findings from Cisco Talos about Lazarus Group’s attacks targeting energy providers.

    North Korea-backed hacking groups have had a busy 2022, conducting both espionage-driven and cryptocurrency heists that align with the regime’s strategic priorities.

    Most recently, the BlueNoroff cluster, also known by the names APT38, Copernicium, Stardust Chollima, and Copernicium, and Stardust Chollima, and TA444, was connected to wide-ranging credential harvesting attacks aimed at education, financial, government, and healthcare sectors.

    – Source

  • DownPWundefined DownPW marked this topic as a regular topic on
  • @DownPW Thanks very much for this. For anyone else looking to get access to constantly updated vulnerability and breach information, I created a site some time ago that is fully automated, and ingests data from a variety of sources - effectively creating a single pane of glass to obtain information from well-known and respected information sources.

    The site is Hostrisk

    https://hostrisk.com

  • @phenomlab better to post hère or on histrisk?

  • @DownPW here. Hostrisk is automated and doesn’t accept registrations.


Related Topics
  • 1 Votes
    1 Posts
    201 Views
    No one has replied
  • Bad information security advice

    Security
    1
    1 Votes
    1 Posts
    143 Views
    No one has replied
  • 19 Votes
    30 Posts
    505 Views

    @phenomlab 100%.

  • Securing javascript -> PHP mysql calls on Website

    Solved Security
    2
    1 Votes
    2 Posts
    375 Views

    @mike-jones Hi Mike,

    There are multiple answers to this, so I’m going to provide some of the most important ones here

    JS is a client side library, so you shouldn’t rely on it solely for validation. Any values collected by JS will need to be passed back to the PHP backend for processing, and will need to be fully sanitised first to ensure that your database is not exposed to SQL injection. In order to pass back those values into PHP, you’ll need to use something like

    <script> var myvalue = $('#id').val(); $(document).ready(function() { $.ajax({ type: "POST", url: "https://myserver/myfile.php?id=" + myvalue, success: function() { $("#targetdiv").load('myfile.php?id=myvalue #targetdiv', function() {}); }, //error: ajaxError }); return false; }); </script>

    Then collect that with PHP via a POST / GET request such as

    <?php $myvalue= $_GET['id']; echo "The value is " . $myvalue; ?>

    Of course, the above is a basic example, but is fully functional. Here, the risk level is low in the sense that you are not attempting to manipulate data, but simply request it. However, this in itself would still be vulnerable to SQL injection attack if the request is not sent as OOP (Object Orientated Programming). Here’s an example of how to get the data safely

    <?php function getid($theid) { global $db; $stmt = $db->prepare("SELECT *FROM data where id = ?"); $stmt->execute([$theid]); while ($result= $stmt->fetch(PDO::FETCH_ASSOC)){ $name = $result['name']; $address = $result['address']; $zip = $result['zip']; } return array( 'name' => $name, 'address' => $address, 'zip' => $zip ); } ?>

    Essentially, using the OOP method, we send placeholders rather than actual values. The job of the function is to check the request and automatically sanitise it to ensure we only return what is being asked for, and nothing else. This prevents typical injections such as “AND 1=1” which of course would land up returning everything which isn’t what you want at all for security reasons.

    When calling the function, you’d simply use

    <?php echo getid($myvalue); ?>

    @mike-jones said in Securing javascript -> PHP mysql calls on Website:

    i am pretty sure the user could just use the path to the php file and just type a web address into the search bar

    This is correct, although with no parameters, no data would be returned. You can actually prevent the PHP script from being called directly using something like

    <?php if(!defined('MyConst')) { die('Direct access not permitted'); } ?>

    then on the pages that you need to include it

    <?php define('MyConst', TRUE); ?>

    Obviously, access requests coming directly are not going via your chosen route, therefore, the connection will die because MyConst does not equal TRUE

    @mike-jones said in Securing javascript -> PHP mysql calls on Website:

    Would it be enough to just check if the number are a number 1-100 and if the drop down is one of the 5 specific words and then just not run the rest of the code if it doesn’t fit one of those perameters?

    In my view, no, as this will expose the PHP file to SQL injection attack without any server side checking.

    Hope this is of some use to start with. Happy to elaborate if you’d like.

  • Addressing vulnerability management

    Blog
    1
    0 Votes
    1 Posts
    247 Views
    No one has replied
  • Hackers aren't evil - separating fact and FUD

    Blog
    1
    0 Votes
    1 Posts
    247 Views
    No one has replied
  • 0 Votes
    1 Posts
    335 Views
    No one has replied
  • is my DMARC configured correctly?

    Solved Configure
    3
    3 Votes
    3 Posts
    468 Views

    @phenomlab said in is my DMARC configured correctly?:

    you’ll get one from every domain that receives email from yours.

    Today I have received another mail from outlook DMARC, i was referring to your reply again and found it very helpful/informative. thanks again.

    I wish sudonix 100 more great years ahead!