In the report, WithSecure says that the attack targeted research organizations in the public and private sector. The motive is believed to be for intelligence gathering purposes. WithSecure named the campaign “No Pineapple” based on an error message in a backdoor that appears when data exceeds segmented byte size.
The attackers first compromised an unnamed target on August 22nd by utilizing the documented Zimbra vulnerabilities CVE-2022-27925 (for remote code execution) and CVE-2022-37042 (for authentication bypass) to drop a webshell on the their mail server. By November 5th, a reported 100 gigabytes of data had been copied, but apparently not tampered with.
The dangers of the combined vulnerabilities had only just been reported on a week and a half prior:
While there were a number of technical indications consistent with previous Lazarus Group campaigns, some of the attribution came about through an apparent and blatant mistake by the attackers. This included an apparent failure to mask one of the rare North Korean IP addresses. Typically, attacks attributed to Lazarus Group have addresses indicating nearby China, providing a small obstacle to investigators.
As well, a timezone analysis indicated a work schedule consistent with a Pyeongyang-based cyber operation.
While the targets and exfiltrated data sources are as-of-now unnamed, WithSecure says that they included:
…Healthcare research, a manufacturer of technology used in energy, research, defense,WithSecure
and healthcare verticals, as well as the chemical engineering department of a leading research university.