North Korean Hackers Exploit Unpatched Zimbra Devices in No Pineapple Campaign

A new intelligence gathering campaign linked to the North Korean state-sponsored Lazarus Group has been discovered by Finnish cybersecurity company WithSecure. The campaign, codenamed No Pineapple, exploited known security flaws in unpatched Zimbra devices to compromise victim systems. Targets included a healthcare research organization in India, a chemical engineering department of a leading research university, and a manufacturer of technology used in the energy, research, defense, and healthcare sectors. It is estimated that roughly 100GB of data was exported by the hackers following the compromise of an unnamed customer, likely taking place in the third quarter of 2022. The threat actor gained access to the network by exploiting two security flaws, CVE-2022-27925 and CVE-2022-37042, which allowed them to gain remote code execution on the underlying server. This was followed by the installation of web shells and the exploitation of a local privilege escalation vulnerability in the Zimbra server, enabling the harvesting of sensitive mailbox data. In October 2022, the adversary carried out lateral movement, reconnaissance, and deployed backdoors such as Dtrack and an updated version of GREASE. GREASE, attributed to the North Korea-affiliated Kimsuky group, has the capability to create new administrator accounts with remote desktop protocol privileges and bypass firewall rules. Dtrack, on the other hand, has been used in cyber assaults targeting a variety of industry verticals, as well as financially motivated attacks involving the use of Maui ransomware. At the beginning of November, Cobalt Strike beacons were detected from an internal server to two threat actor IP addresses. Data exfiltration occurred from November 5, 2022, through November 11, 2022. Tools such as Plink and 3Proxy were also used to create a proxy on the victim system. North Korea-backed hacking groups have been active in 2022, conducting espionage-driven and cryptocurrency heists that align with the regimes strategic priorities. Most recently, the BlueNoroff cluster, also known by the names APT38, Copernicium, Stardust Chollima, and Copernicium, and Stardust Chollima, and TA444, was connected to credential harvesting attacks targeting the education, financial, government, and healthcare sectors.

This Cyber News was published on thehackernews.com. Publication date: Thu, 02 Feb 2023 10:16:03 +0000


Cyber News related to North Korean Hackers Exploit Unpatched Zimbra Devices in No Pineapple Campaign

North Korea's state hackers stole $3 billion in crypto since 2017 - North Korean-backed state hackers have stolen an estimated $3 billion in a long string of hacks targeting the cryptocurrency industry over the last six years since January 2017. Kimsuky, Lazarus Group, Andariel, and other North Korean hacking groups ...
10 months ago Bleepingcomputer.com
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for ...
4 months ago Microsoft.com
Hackers from North Korea Aimed at Medical and Energy Industries - The North Korean Lazarus hacking group has been identified as the perpetrator of a recent cyber espionage operation known as No Pineapple!. This designation highlights the group's malicious activities and its ability to carry out sophisticated ...
1 year ago Cybersecuritynews.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
1 year ago Therecord.media
North Korean Hackers Utilizing Credential Stuffing to Launch Cyberattacks - In an alarming new report, researchers found that North Korean-linked hackers have been using stolen passwords during cyberattacks to gain access to various government, military and financial networks. According to security experts, the creative ...
1 year ago Thehackernews.com
North Korean Hackers Attacked Indian Medical and Energy Companies - The North Korean military's notorious hacking arm, known as the Lazarus Group, has been accused of targeting public and private sector research organizations, an Indian medical research company, and other businesses in the energy sector. Security ...
1 year ago Therecord.media
North Korean Hackers Exploit Unpatched Zimbra Devices in No Pineapple Campaign - A new intelligence gathering campaign linked to the North Korean state-sponsored Lazarus Group has been discovered by Finnish cybersecurity company WithSecure. The campaign, codenamed No Pineapple, exploited known security flaws in unpatched Zimbra ...
1 year ago Thehackernews.com
US govt sanctions North Korea's Kimsuky hacking group - The Treasury Department's Office of Foreign Assets Control has sanctioned the North Korean-backed Kimsuky hacking group for stealing intelligence in support of the country's strategic goals. OFAC has also sanctioned eight North Korean agents for ...
10 months ago Bleepingcomputer.com
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks - North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of ...
10 months ago Darkreading.com
Woman Accused of Helping North Korean IT Workers Infiltrate Hundreds of US Firms - The US government has announced charges, seizures, arrests and rewards as part of an effort to disrupt a scheme in which North Korean IT workers infiltrated hundreds of companies and earned millions of dollars for North Korea. According to the ...
4 months ago Securityweek.com
North Korean Hackers Stole $600m in Crypto in 2023 - North Korean hackers stole at least $600m in cryptocurrency in 2023, around a third of the total value of such heists, according to blockchain intelligence firm TRM. Despite the eye-watering sum, this figure represents a 30% reduction on ...
9 months ago Infosecurity-magazine.com
FBI Charges North Korean Hackers Over $100 Million Stolen in Crypto Hack - The FBI has recently charged a North Korean hacker in connection with the Harmony crypto hack from which the hacker allegedly stole over $100 million. The hacker, Jon Chang Hyok, is a member of the North Korean military intelligence agency, the ...
1 year ago Bleepingcomputer.com
Critical Zimbra Postjournal flaw CVE-2024-45519 actively exploited in the wild. Patch it now! - “Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers. Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, ...
1 week ago Securityaffairs.com
Experts from the United Nations Report North Korean Hackers Have Taken a Large Amount of Digital Assets - Last year, North Korean hackers working for the government stole a record-breaking amount of virtual assets estimated to be worth between $630 million and more than $1 billion, according to a new report from U.N. experts. The panel of experts said ...
1 year ago Securityweek.com
The past year was the most detrimental for digital currency security breaches, with North Korean organizations profiting. - In 2022, cyberattacks on cryptocurrency platforms resulted in the theft of almost $4 billion, with a large portion of the activity being attributed to hackers working on behalf of the North Korean government. According to blockchain research firm ...
1 year ago Therecord.media
US seizes Sinbad crypto mixer used by North Korean Lazarus hackers - The U.S. Department of the Treasury has sanctioned the Sinbad cryptocurrency mixing service for its use as a money-laundering tool by the North Korean Lazarus hacking group. A cryptocurrency mixer is a server that allows people to deposit crypto, ...
10 months ago Bleepingcomputer.com
Microsoft: BlueNoroff hackers plan new crypto-theft attacks - Microsoft warns that the BlueNoroff North Korean hacking group is setting up new attack infrastructure for upcoming social engineering campaigns on LinkedIn. This financially motivated threat group also has a documented history of cryptocurrency ...
10 months ago Bleepingcomputer.com
North Korean Cybercriminals Accessed Research Information Over a Period of Two Months - A new cyber espionage campaign, known as No Pineapple!, has been attributed to the North Korean Lazarus hacking group. This campaign allowed the threat actors to steal 100GB of data from the victim without causing any destruction. The attack took ...
1 year ago Bleepingcomputer.com
Microsoft links North Korean hackers to new FakePenny ransomware - Microsoft has linked a North Korean hacking group it tracks as Moonstone Sleet to FakePenny ransomware attacks, which have led to millions of dollars in ransom demands. While this threat group's tactics, techniques, and procedures largely overlapped ...
4 months ago Bleepingcomputer.com
North Korean hackers linked to defense sector supply-chain attack - In an advisory today Germany's federal intelligence agency and South Korea's National Intelligence Service warn of an ongoing cyber-espionage operation targeting the global defense sector on behalf of the North Korean government. The attacks aim to ...
7 months ago Bleepingcomputer.com
North Korean Hackers Have Stolen Over $3 Billion in Cryptocurrency: Report - North Korean threat actors are believed to have stolen more than $3 billion in cryptocurrency to date, according to a report from threat intelligence firm Recorded Future. Collectively tracked as the Lazarus Group, the North Korean hackers specialize ...
10 months ago Securityweek.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
10 months ago Bleepingcomputer.com
Zimbra RCE Vuln Under Attack Needs Immediate Patching - "Some emails from the same sender used a series of CC'd addresses attempting to build a Web shell on a vulnerable Zimbra server," Proofpoint said. Attackers are actively targeting a severe remote code execution vulnerability that ...
1 week ago Darkreading.com
State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage - State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus ...
1 year ago Csoonline.com
Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data - South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea's defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes ...
10 months ago Cysecurity.news

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)