The North Korean Lazarus hacking group has been identified as the perpetrator of a recent cyber espionage operation known as No Pineapple!. This designation highlights the group's malicious activities and its ability to carry out sophisticated cyberattacks. During the No Pineapple! campaign, the hackers were able to extract 100GB of data from their target without causing any harm or damage. WithSecure, formerly known as F-Secure, named the campaign No Pineapple! due to an error message present in one of the backdoors used by the Lazarus hacking group. The hackers used known vulnerabilities in unpatched Zimbra devices to infiltrate and compromise the systems of their target. The campaign ran from August to November of 2022 and targeted organizations in specific industries. On August 22nd, the Lazarus hacking group exploited two vulnerabilities in the Zimbra mail server to gain access to the network. WithSecure was able to attribute the No Pineapple! campaign to the Lazarus hacking group through various pieces of evidence, while also observing some new developments in the group's tactics and methods. The hackers used IP addresses without domain names in their new infrastructure, updated the Dtrack info-stealer malware with a new version, and updated the GREASE malware to include a new feature that allows the creation of admin accounts and bypass protection. The hackers also used tunneling tools to create reverse tunnels that connected back to their own infrastructure, allowing them to bypass the firewall and maintain persistent access to the victim's network. The attackers then extracted around 5 gigabytes of email messages from the server and stored them in a CSV file which was saved locally and then uploaded to the server that is under the control of the threat actors. On November 5th, the Lazarus hacking group had successfully stolen 100GB of data from the victim organization. An investigation conducted by WithSecure on the network logs obtained from the impacted system uncovered that one of the web shells implanted by the attackers was communicating with a North Korean IP address, which was likely a mistake on the part of the hackers.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 04 Feb 2023 16:18:02 +0000