Deep-Dive: Up close and personal with the MOVEit zero-day vulnerability
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoLaura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoLaura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Deep Dive: Navigating the Critical CUPS Vulnerability in GNU-Linux Systems
Discover the latest security challenges facing Linux users as we explore recent high-severity vulnerabilities in the Common UNIX Printing System (CUPS). Learn how these issues may lead to potential Remote Code Execution (RCE) and what you can do to protect your systems.