VerSprite CyberWatch. We Dive Into the Latest CyberSecurity News

January 17, 2023
Author:  Daniel Stiegman

Severe Security Flaw Alert: JWT Secret Poisoning (CVE-2022-23529)

CVE-2022-23529, is a vulnerability rated as high severity (CVSS 7.6).

This vulnerability has insecure input validation in jwt.verify function, that allows untrusted entities to modify the key retrieval parameter of the jwt.verify on a host that a user controls.

Json Web Tokens(JWT) is an open-source JavaScript package, developed and maintained by Auth0 (Okta). It allows for verification and authentication on protected sources, securely transmitting information as a JSON object.

JWT (pronounced “jot”) is an open standard that defines a method of transferring information securely by encoding and signing JSON data: Header.Payload.Signature. It helps store information that is useful for the authentication process for users.

What is JWT:

  • JWT Header: Indicates the type of the token and the signing algorithm.
  • JWT Payload: Indicates information about the User (ex; username and admin: true)
  • JWT Signature: Signed using a secret key to ensure the token is authentic.
  • When a user attempts to login to a protected asset, via credentials, it is sent to an authentication server, where it will validate and sign with a secret key.
  • That signed JWT is stored on the server or with a secret manager.
  • Following that step, a user’s request will possess that JWT, allowing access if the permissions exist.
  • When the user is attempting to access a protected source, it will contain a newly generated JWT from a JWT authentication server.
  • Before the user is given access, the JWT is then verified with a secret key.


In theory, Threat Actors can utilize this kind of flaw for Remote Code Execution, by bypassing authentication and authorization mechanisms. Within the JWT package is the method called verify, which receives the parameters token, secretOrPublicKey, and options.  If there are no allowed algorithms given in options algorithms list, the secretOrPublicKey will deliver the values contained in the Privacy Enhanced Email(PEM) file, in its place. The vulnerability exists because the PEM file’s secretOrPublicKey is valid content. The toString method within this object will be used, unverified. Threat Actors can supply their own malicious toString method in its place. The malicious code can then be executed and exit the node process before “.includes (‘BEGIN CERTIFICATE’)” check contained in the verify function is conducted. This allows for an arbitrary write file on the host machine.

If the secrets are stored in a Secret Manager instead of the authenticating server, the Threat Actor that has write access to the manager could execute code on the authentication server. Yet, this can only be done if there is no check that the malicious object is valid. If there is a check, then remote code execution is not achievable. Because output of the Secret Manager is dynamic and uncertain, the Threat Actor will have a difficult time. For this exploit to work, the Threat Actor will have access to and control secretOrPublicKey value and not store secret keys securely, within the Secret Management Process. Many researchers state that this exploit is a hypothetical case, as the Secret Manager would have to be part of the same context(app) with a non-serialized secret, with the Secret Manager also containing a vulnerability that allows users to define a function.

The reported fix for this vulnerability is suggested to update from Version 8.5.1 to 9.0.0.

Contact us today to learn how you can better protect your organization.

December 13, 2022
Author:  Daniel Stiegman

VerSprite Threat Intelligence Analyst reacts to the recent FBI and CISA joint advisory on Cuba Ransomware:

The increase of enterprise-focused ransomware activities into 2020, has proved successful for Threat Actors (TA).  “MAN1” aka “Moskalvzapoe” aka “TA511” has been the threat actor utilizing “Hancitor” as major e-crime groups have shifted away from normal banking trojan operations and moved towards ransom and data theft. This TA’s activity has been active in the last year, doubling its victims, and has had a steady increase in its paying victims over that time. main target industries have been Finance, Government, Healthcare, Critical Infrastructure, and IT, while the earlier targets were aviation, financial, education, and manufacturing industries. The TA has acquired over $60 million in ransomware payments over this period.

The campaign utilizes a Cuba Ransomware in their attacks, which is not an indicator of a relationship with the Nation/State of Cuba. The group deploys the ransomware by using a distribution tool of “Hancitor” (information stealer and malware downloader) that was typically distributed via spam campaigns. Such emails are disguised to look like DocuSign notifications. This campaign has used “ZeroLogon” as their exploit tool and leveraged a “dropper that writes a kernel driver to the file system called ApcHelper.sys. This targets and terminates security products.” In the last 2 years, ransomware groups have found a benefit to evolve their attacks into “double extortion” (2nd Generation ransomware attacks) where the TA will encrypt the data, request a ransom, and threaten to post the stolen data if the target does not pay. Around May 2022, the TA began posting the data on Industrial Spy’s online marketplace for sale.

Cuba Ransomware

The TA’s TTPs include “copying legitimate HTML code of public-facing webpages, modifying the code, and then incorporating it in a spoofed domain.” Their ransom notes state that the do through research on the target’s “whole corporate network”, encrypted the data, and give the target 3 days to pay, before making the information public. Their notes claim they are very professional, will operate in agreed terms of recovery, confidentiality and would supply evidence of the gained information.  TAs provides contact information and infrastructure for the victims to provide payment and continuous correspondence through a form of a PACE (Primary, Alternate, Contingency, Emergency) plan contact methodology.

Link to the advisory

Contact us today to learn how you can better protect your organization.

PASTA Threat Modeling: The Process for Attack Simulation and Threat Analysis

VerSprite leverages our PASTA (Process for Attack Simulation and Threat Analysis) methodology to apply a risk-based approach to threat modeling. This methodology integrates business impact, inherent application risk, trust boundaries among application components, correlated threats, and attack patterns that exploit identified weaknesses from the threat modeling exercises.