Finnish Cybersecurity Firm, WithSecure, recently discovered a large-scale espionage event targeting Zimbra web clients and email addresses in order to quietly obtain private data.
The event has been dubbed “No Pineapple” due to an error message in a backdoor, which will say “<No Pineapple>” in the event that data exceeds a segmented byte size.
The campaign used vulnerabilities in Zimbra to target organizations in energy, defense, chemical engineering, healthcare, medical research, and a large research university. It lasted between August and November — though the RCE flaw used to exploit the system was patched in May earlier this year, the breach didn’t begin until a Zimbra security update was released in August.
The attack vector began with Lazarus exploiting known Zimbra server vulnerabilities. After the hackers breached the servers they deployed web shell scripts and Cobalt Strikes as persistence mechanisms. They also deployed proxy and tunneling tools to create reverse tunnels to the hackers’ infrastructure, allowing them to bypass network firewalls.
While Lazarus is a group that’s been active in the past, researchers have noted that what sets this attack apart is the use of new infrastructure, like the reliance on IP addresses without domain names.
For the next two months after the breach, the hackers began to deploy laterally through the network, stealing over 100GB of data while obtaining key admin credentials. Notably, the hackers didn’t attempt to infect devices with destructive malware.
“Threat actor exfiltrated ~100GB of data but took no destructive action by the point of disruption”
Researchers were able to conclude that the No Pineapple originated from the North Korean hacker group, Lazarus thanks to a mistake made by one of the threat actors. During a slip-up, one of the web shells communicated with a North Korean IP address.
Combined with time-zone analysis, similarities to other Lazarus malware strains, and similarities with reports from previous threats, WithSecure says they have strong confidence that the breach comes from Lazarus.