Lazarus Group Exploits Unpatched Zimbra Devices

An intelligence-gathering campaign

• The targets were healthcare research organizations in India, a chemical engineering department of a research university, a manufacturer of technology used in the energy, research, defense, and healthcare sectors; and an unnamed customer.
• Further, around 100GB of data is believed to be exported by the hacking group along with the compromise of an unnamed customer. The digital break-in took place in the Q3 of 2022.

Explotation of Zimbra servers

• In one of the attacks, Lazarus gained access to a flawed Zimbra mail server by abusing RCE flaws tracked as CVE-2022-27925 and CVE-2022-37042.
• Further, a local privilege escalation flaw was abused in the Zimbra server (CVE-2021-4034) and web shells were installed, allowing the threat group to harvest sensitive mailbox data.

Tools and Tactics

• After initial infection via Zibra servers, the threat actors deployed several malicious threats, including BindShell, 3proxy, Grease, Acres, DTrack, App.relch, Webshell.G, and Webshell.B, over a period of several months.
• The threat group used off-the-shelf web shells and custom binaries and abused genuine Windows/Unix tools. The tools were installed for proxying, tunneling, and relaying connections.
• Additionally, the C2 behavior indicates that attackers had used a small number of C2 servers connected through numerous relays and endpoints.

Conclusion