Lazarus launches attacks on medical and energy industries
A Lazarus Group cyberattack is targeting the medical research and energy industries, and their supply chain partners, through exploiting known vulnerabilities found in unpatched Zimbra devices, according to WithSecure research.
The attack, called “No Pineapple,” leaves an error message in a backdoors appended with the name “in the event data exceeds segmented byte size.” The report suggests that the goal is to gather intelligence from victim organizations. The group is exploiting known vulnerabilities in these devices to gain network compromise and escalate privileges, leading to data exfiltration.
The victims include a manufacturer of technology used in energy, research, defense, and healthcare, a chemical engineering department of a leading research university, and others from various other verticals.
The attack is due to a critical remote code vulnerability listed as CVE-2022-41352, which is rated 9.8 in severity and was actively exploited in the wild starting in mid-September 2022. Zimbra released a recommended workaround to install the pax utility and restart Zimbra services, but the WithSecure report shows that the flaw was indeed exploited by the Lazarus Group.
The vulnerability occurs because the devices use an antivirus engine that employs a cpio utility to scan inbound emails and the attacker is able to create an archive to access any files within the Zimbra devices. The Lazarus Group uses readily available webshells and custom binaries, in addition to legitimate Windows and Unix tools, to carry out the attack.
The attack was deployed against a Zimbra mail server in August, where the attackers exploited a local privilege escalation vulnerability. After a month of reconnaissance and lateral movement, the attackers exfiltrated approximately 100GB of data. The report contains a list of tactics and methods deployed during the observed campaign, to support identification and remediation.
The sources for this piece include an article in SCMagazine.