Threat Management, Vulnerability Management, Endpoint/Device Security

Lazarus campaign exploits unpatched Zimbra devices, targets medical data

Microsoft has identified a new North Korean ransomware group that likely overlaps with another group that is likely directed by the Kim regime. (Photo by Carl Court/Getty Images)

An ongoing campaign attributed to the notorious Lazarus Group is targeting the medical research and energy industries, as well as their supply chain partners, through the exploit of known vulnerabilities found in unpatched Zimbra devices, according to WithSecure research.

By exploiting the unpatched devices, the threat actors are able to gain network compromise and escalate privileges. The researchers have observed other possible victims from other verticals, which also led to data exfiltration.

WithSecure has identified the ongoing campaign’s victims in healthcare research, a manufacturer of technology used in energy, research, defense, and healthcare verticals, and a chemical engineering department of a leading research university.

Dubbed "No Pineapple," the attacks leave an error message in a backdoors appended with the name “in the event data exceeds segmented byte size.” The report shows it appears these attacks are designed to gather intelligence from victim organizations.

“The victimology follows the established pattern of high-value targets in medical research and energy, additionally WithSecure believes the threat actor has intentionally targeted the supply chain of these verticals,” according to the report.

As reported in the fall of 2022, a critical remote code vulnerability listed as CVE-2022-41352 and rated a 9.8 in severity was reported as actively exploited in the wild beginning in mid-September. 

The flaw is caused by the devices using an antivirus engine that employs a cpio utility to scan inbound emails. A vulnerability in the utility can enable an attacker to create an archive to access any files within the Zimbra devices.

Upon disclosing the vulnerability, Zimbra released a recommended workaround to install the pax utility and restart Zimbra services. But Rapid7 researchers warned that hackers would “logically move to exploit” the unpatched flaw given the alerts detailing the security bug.

The WithSecure report suggests that this is exactly what happened.

Its researchers responded to a cyberattack leveraging these tactics during Q4 2022, which has been attributed with high confidence to the Lazarus Group. The forensic evidence shows signs of characteristics leveraged by the North Korea state-sponsored threat actors in other  campaigns.

The attack was deployed against a Zimbra mail server in August, where the attackers exploited a local privilege escalation vulnerability in the Zimbra server. After a week of dwell time, the threat actor exfiltrated approximately 100GB of data from the mail server without taking any “destructive action by the point of disruption.”

After one month, the threat actor laterally moved to a vulnerable domain joined by a Windows XP device. Over a monthlong period, the attacker continued to move laterally across the network, performing reconnaissance, and deploying multiple custom tools and malware. Dtrack was one variant used, which the researchers believe is an updated version of GREASE.

In the observed campaign, the threat actor used readily available, off-the-shelf webshells and custom binaries, in addition to abusing legitimate Windows and Unix tools. A successful exploit can enable an attacker to install tools for proxying, tunneling, and relaying connections.

The “actor used many built-in commands to enumerate the network and compromised devices,” the report notes. “Some of these commands were hardcoded into binaries, but others were run manually by the operators. Many commands used were standard Windows command line tools, though two PowerShell cmdlets were also run.”

Its C2 behavior suggests that it employs a small number of C2 servers, which are connected through multiple relays and endpoints. The report notes that “some C2 servers appear to themselves be compromised victims.”

What’s more, “web shells and Cobalt Strike beacons were observed which served as persistence mechanisms, the report authors wrote. Legitimate accounts were also compromised, and the threat actors created illegitimate accounts. The actor also created auto-run services and scheduled tasks, commonly used to persist on a network.

The researchers warned that the actor also attempted to remove artifacts and indicators of their presence, such as deleting files and tools and clearing logs, to evade detection. They also tried “to give dropped files innocent names which would blend into the system.” In one instance, they named files the same as directories within a parent network of exploited Zimbra servers.

The report contains a long list of tactics and methods deployed during the observed campaign that can support identification and possible remediation.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.