Chemical companies are the latest to be targeted by the well-known North Korean group, which has targeted financial firms, security researchers, and technology companies in the past.

The North Korean-linked Lazarus group sent fake job offers to targets in the chemical sector and information technology firms, which — when opened — install Trojan horse programs to collect information and send it back to the attackers, technology provider Broadcom's security arm Symantec stated in an advisory on April 14.

The attack is part of a long-running campaign — dubbed Operation Dream Job — that sends targets in specific industries malicious Web files disguised as job offers, which when opened attempts to compromise the system. While the current set of attacks focuses on South Korean chemical companies and their IT service providers, other targets have included industries and government agencies in Europe, Asia, and the United States. This campaign marks a shift, as Lazarus in the past targeted the defense, government, and engineering sectors.

The attacks have, at various times, targeted defense contractors, engineering firms, government agencies, and even pharmaceutical companies during the height of the pandemic, says Dick O’Brien, principal intelligence analyst for Symantec's threat-hunting team.

"North Korea-linked attackers have a long history of targeting intellectual property, presumably to assist strategically important engineering or technology projects," he says, adding: "Across all attacks, we’ve seen a range of data theft \[and\] data exfiltration tools deployed on infected computers. We’re assuming that they take what they need before moving on."

Other security and technology firms have also documented Lazarus's involvement in Operation Dream Job, which some researchers track as Operation AppleJeus. In early 2021, the Lazarus group targeted security researchers with similar offers of high-level jobs in the industry. And, earlier this year, the attackers targeted more than 250 individuals working for news media, software vendors, and Internet infrastructure providers, using job offers that appeared to come from Disney, Google, and Oracle, according to Google, which tracked the campaign.

A related campaign targeted cryptocurrency and financial technology and services firms, Adam Weidemann, a researcher with Google's Threat Analysis Group, stated in a late March blog post.

"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques," he wrote. "It is possible that other North Korean government-backed attackers have access to the same exploit kit."

**Long-Running Campaign  
**The April 14 advisory from Symantec noted that the campaign started at least as early as August 2020, albeit with a different set of targets. While the current campaign targets the chemical sector, campaigns discovered in 2020 had focused on government agencies and defense contractors, the company stated in its advisory.

"Operation Dream Job involves Lazarus using fake job offers as a means of luring victims into clicking on malicious links or opening malicious attachments that eventually lead to the installation of malware used for espionage," the company said.

Symantec's threat team outlined the steps in a successful attack in January 2022, which completed less than four days after the target received the file until the final execution of a program that collected and exfiltrated system data. After the targeted user opened the fake job offer, the attack exploited a vulnerability in one of two software packages, the INISAFE Web EX Client for system management or MagicLine, a gym management program, says Symantec's O'Brien.

"They’re not household names for us but our working assumption is they’re widely used in the industry or sector they’re currently targeting," he says. "An alternative hypothesis is they installed the software themselves in order to inject into it, but we haven’t seen any evidence of that."

While companies not running either application may not have to worry about this particular attack, cyber-espionage groups such as Lazarus are very good at tailoring attacks to match their target's environment, he says.

For that reason, no single solution will help prevent cyber-espionage attacks, O'Brien stressed. Instead, companies should take a layered approach to defense, using network detection, endpoint security, and hardening technologies — such as multifactor authentication — to protect against multiple vectors of attack, he says.

"We’d also advise implementing proper audit and control of administrative account usage, \[and\] you could also introduce one-time credentials for administrative work to help prevent theft and misuse of admin credentials," O'Brien says. "We’d also suggest creating profiles of usage for admin tools, \[because\] many of these tools are used by attackers to move laterally undetected through a network."

Lazarus Targets Chemical Sector With 'Dream Jobs,' Then Trojans

Authenticated (admin+) Stored Cross-Site Scripting (XSS) in WP Maintenance (WordPress plugin) <= 6.0.4 affects multiple inputs.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

The WP Maintenance plugin allows you to put your website on the waiting time for you to do maintenance or launch your website. Personalize this page, pictures and countdown with:

**Features**

*   Choice texts colors and fonts
*   Upload logo picture
*   Upload background picture or pattern
*   Slider
*   Countdown
*   Google Analytics ready
*   Social Networks ready
*   Customize CSS
*   Insert for shorcode (Newletter or Contact form)
*   Enable “503 Service temporarily unavailable”
*   Choose access by Roles and Capabilities
*   Choose access by IP address
*   Choose access by ID Pages

wp-maintenance.pot file available

1.  Upload the full directory into your ‘/wp-content/plugins’ directory
2.  Activate the plugin at the plugin administration page

You will find ‘WP Maintenance’ menu in your WordPress admin panel

**WP Maintenance Needs Your Support**

It is hard to continue development and support for this free plugin without contributions from users like you. If you enjoy using WP Maintenance and find it useful, please consider making a donation. Your donation will help encourage and support the plugin’s continued development and better user support.

**I have activated plugin and don’t see any changes, looks like plugin is not working.**

This is normal because you are logged in as an administrator. Try a different browser or use the preview link. If you have registered as a wordpress user, you see the site in normal mode.

**I have disabled plugin but I don’t see any changes, I have always the maintenance page, looks like plugin is not working.**

You have a cache plugin ? Try to purge it and try again.

**Where can I find out the login page to get to the site?**

You can use your administrator access or create new user in wordpress dashboard  
https://yousite.com/wp-admin/

**Can I change the plugin code?**

Yes. Thank you for submitting your changes to update the plugin.

**Translations**

You can translate WP Maintenance on **translate.wordpress.org**.

![](https://secure.gravatar.com/avatar/946618013301e878c15dfae30ec48371?s=60&d=retro&r=g)

très bon plugin, seul bémol il ne fonctionne pas sur les mobiles, impossible de l'activer sur les mobiles

![](https://secure.gravatar.com/avatar/9e0b3d7edb75cfc783ba50ff3bde118a?s=60&d=retro&r=g)

Propre, efficace, maintenue, gratuite, que demander de + ? Merci au dev !

![](https://secure.gravatar.com/avatar/191a96f2e67c1a008cfa911bc4e9a17c?s=60&d=retro&r=g)

Efficace et pratique. Merci à l'Auteur

![](https://secure.gravatar.com/avatar/777791c35a3b67af57ad92f5a1c9a04c?s=60&d=retro&r=g)

Je pensais avoir trouvé un super widget avec celle-ci, mais elle réagit vraiment bizarrement au point ou parfois on perd du temps pour savoir si des choses marchent. La page rs notamment. On dit que l'on peut mettre ses propres images rs. Cela ne marche pas... et je ne sais pas pourquoi... d'autant que l'appli semble vous aider en ajoutant l'url du dossier de destination. Mais quand vous complétez le chemin et enregistrez... ben il commence forcement l'enregistrement par https... parmi les icônes proposées une série fonctionne pas... tout ça est bien dommage. Enfin si l'auteur peut déjà "clarifier" et comment on met ses propres icones ce serait cool.

![](https://secure.gravatar.com/avatar/8eb9aa5197a2b8f4b8831a0b604c685e?s=60&d=retro&r=g)

Отличный дизайн плагина и полный перевод на русский язык. Спасибо!

![](https://secure.gravatar.com/avatar/4844bf0f6d567a7f19e682f820c11d26?s=60&d=retro&r=g)

3 mn chrono pour ma page ! Bravo.

Read all 71 reviews

“WP Maintenance” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/a6c69172b8ad02376d02ce8a4b62b41e?s=32&d=mm&r=g) Florent Maillefaud

CVE-2021-36828: WP Maintenance

Nyron 1.0 is affected by a SQL injection vulnerability through Nyron/Library/Catalog/winlibsrch.aspx. To exploit this vulnerability, an attacker must inject '"> on the thes1 parameter.

    # Exploit Title: Nyron 1.0 - SQLi (Unauthenticated)
    # Google Dork: inurl:"winlib.aspx"
    # Date: 01/18/2021
    # Exploit Author: Miguel Santareno
    # Vendor Homepage: http://www.wecul.pt/
    # Software Link: http://www.wecul.pt/solucoes/bibliotecas/
    # Version: < 1.0
    # Tested on: windows
    
    # 1. Description
    
    Unauthenticated user can exploit SQL Injection vulnerability in thes1 parameter.
    
    
    # 2. Proof of Concept (PoC)
    
    https://vulnerable_webiste.com/Nyron/Library/Catalog/winlibsrch.aspx?skey=C8AF11631DCA40ADA6DE4C2E323B9989&pag=1&tpp=12&sort=4&cap=&pesq=5&thes1='">
    
    
    # 3. Research:
    https://miguelsantareno.github.io/edp.pdf

CVE-2022-23865: Offensive Security’s Exploit Database Archive

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code.

CVE-2021-43286: Releases - Version notes | GoCD

Stored XSS viva .svg file upload in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

**Description**

The application allows .svg files to upload which leads to stored XSS

**Proof of Concept**

1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing

2.Login to the application with Co-admin account and go to "Settings" -> "Image Manager" and upload the downloaded "XSS.svg" payload.

3.Then login with admin account and go to "Settings" -> "Image Manager" and select the "XSS.svg" and open it on a new tab or open the uploaded location you will see that XSS will trigger and this can lead to the admin account takeover.

**PoC video:**

    https://drive.google.com/file/d/1jdjUHuQPG0xVR3pImcg3vT4cuxhIEuBi/view?usp=sharing
    

**Impact**

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

CVE-2022-1345: Stored XSS viva .svg file upload in organizr

Stored XSS due to no sanitization in the filename in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

**Description**

The organizr application doesn't sanitize malicious javascript payload which leads to stored XSS and can also perform to the takeover admin account.

**Proof of Concept**

1.Login with Co-admin account and go to "Settings" -> "Image Manager" and upload any small size jpeg image and intercept the request on burp suite.

2.Then change the name of the uploaded image with the below XSS payload and forward the request:

         <img src=1 onerror=alert(1337)>.jpeg
    

3.Then login with admin account and go to "Settings" -> "Image Manager" and open the uploaded image by Co-admin you will see that XSS will trigger.

**PoC Video**

    https://drive.google.com/file/d/1X8-YyNkt8-MBLY2Btezn2Wel6HLjyhtu/view?usp=sharing
    

**Impact**

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

CVE-2022-1344: Stored XSS due to no sanitization in the filename in organizr

Multiple Stored XSS in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

**Description**

The organizr application allows malicious javascript payload in multiple-input fields like "Categories", "Bookmark Tabs" and "Bookmark Categories" for which attacker can takeover the admin account.

**Proof of Concept**

1.Login to the co-admin account and go to go to "Settings" -> "Tab Editor".

2.Now in "Categories", "Bookmark Tabs" and "Bookmark Categories" Add options insert the below payloads:

          <img src=x onerror=alert(document.cookie)>
    
          <img src=x onerror=alert(document.domain)>
    
          <img src=x onerror=alert(document.location)>
    

3.Then login with the admin account and go to "Settings" -> "Tab Editor" and visit the "Categories", "Bookmark Tabs" and "Bookmark Categories" and you will see XSS will trigger in all those fields.

**PoC Video**

    https://drive.google.com/file/d/1n9FvXxzzmvtZc4VsdzOHl0oPxSnSDpMy/view?usp=sharing
    

**Impact**

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

Tag

#google