CVE-2022-23529, is a vulnerability rated as high severity (CVSS 7.6).
This vulnerability has insecure input validation in jwt.verify function, that allows untrusted entities to modify the key retrieval parameter of the jwt.verify on a host that a user controls.
JWT (pronounced “jot”) is an open standard that defines a method of transferring information securely by encoding and signing JSON data: Header.Payload.Signature. It helps store information that is useful for the authentication process for users.
In theory, Threat Actors can utilize this kind of flaw for Remote Code Execution, by bypassing authentication and authorization mechanisms. Within the JWT package is the method called verify, which receives the parameters token, secretOrPublicKey, and options. If there are no allowed algorithms given in options algorithms list, the secretOrPublicKey will deliver the values contained in the Privacy Enhanced Email(PEM) file, in its place. The vulnerability exists because the PEM file’s secretOrPublicKey is valid content. The toString method within this object will be used, unverified. Threat Actors can supply their own malicious toString method in its place. The malicious code can then be executed and exit the node process before “.includes (‘BEGIN CERTIFICATE’)” check contained in the verify function is conducted. This allows for an arbitrary write file on the host machine.
If the secrets are stored in a Secret Manager instead of the authenticating server, the Threat Actor that has write access to the manager could execute code on the authentication server. Yet, this can only be done if there is no check that the malicious object is valid. If there is a check, then remote code execution is not achievable. Because output of the Secret Manager is dynamic and uncertain, the Threat Actor will have a difficult time. For this exploit to work, the Threat Actor will have access to and control secretOrPublicKey value and not store secret keys securely, within the Secret Management Process. Many researchers state that this exploit is a hypothetical case, as the Secret Manager would have to be part of the same context(app) with a non-serialized secret, with the Secret Manager also containing a vulnerability that allows users to define a function.
The increase of enterprise-focused ransomware activities into 2020, has proved successful for Threat Actors (TA). “MAN1” aka “Moskalvzapoe” aka “TA511” has been the threat actor utilizing “Hancitor” as major e-crime groups have shifted away from normal banking trojan operations and moved towards ransom and data theft. This TA’s activity has been active in the last year, doubling its victims, and has had a steady increase in its paying victims over that time. main target industries have been Finance, Government, Healthcare, Critical Infrastructure, and IT, while the earlier targets were aviation, financial, education, and manufacturing industries. The TA has acquired over $60 million in ransomware payments over this period.
The campaign utilizes a Cuba Ransomware in their attacks, which is not an indicator of a relationship with the Nation/State of Cuba. The group deploys the ransomware by using a distribution tool of “Hancitor” (information stealer and malware downloader) that was typically distributed via spam campaigns. Such emails are disguised to look like DocuSign notifications. This campaign has used “ZeroLogon” as their exploit tool and leveraged a “dropper that writes a kernel driver to the file system called ApcHelper.sys. This targets and terminates security products.” In the last 2 years, ransomware groups have found a benefit to evolve their attacks into “double extortion” (2nd Generation ransomware attacks) where the TA will encrypt the data, request a ransom, and threaten to post the stolen data if the target does not pay. Around May 2022, the TA began posting the data on Industrial Spy’s online marketplace for sale.
The TA’s TTPs include “copying legitimate HTML code of public-facing webpages, modifying the code, and then incorporating it in a spoofed domain.” Their ransom notes state that the do through research on the target’s “whole corporate network”, encrypted the data, and give the target 3 days to pay, before making the information public. Their notes claim they are very professional, will operate in agreed terms of recovery, confidentiality and would supply evidence of the gained information. TAs provides contact information and infrastructure for the victims to provide payment and continuous correspondence through a form of a PACE (Primary, Alternate, Contingency, Emergency) plan contact methodology.