Deep-Dive: Up close and personal with the MOVEit zero-day vulnerability
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Professional Services - Accelerate with expertise
Secure Code Warrior’s Program Strategy Services (PSS) team helps you build, enhance, and optimize your secure coding program. Whether you're starting fresh or refining your approach, our experts provide tailored guidance.
Secure code training topics & content
Our industry-leading content is always evolving to fit the ever changing software development landscape with your role in mind. Topics covering everything from AI to XQuery Injection, offered for a variety of roles from Architects and Engineers to Product Managers and QA. Get a sneak peak of what our content catalog has to offer by topic and role.
Quests: Industry leading learning to keep developers ahead of the game mitigating risk.
Quests is a learning platform that helps developers mitigate software security risks by enhancing their secure coding skills. With curated learning paths, hands-on challenges, and interactive activities, it empowers developers to identify and prevent vulnerabilities.
Resources to get you started
Is Vibe Coding Going to Turn Your Codebase Into a Frat Party?
Vibe coding is like a college frat party, and AI is the centerpiece of all the festivities, the keg. It’s a lot of fun to let loose, get creative, and see where your imagination can take you, but after a few keg stands, drinking (or, using AI) in moderation is undoubtedly the safer long-term solution.
The Decade of the Defenders: Secure Code Warrior Turns Ten
Secure Code Warrior's founding team has stayed together, steering the ship through every lesson, triumph, and setback for an entire decade. We’re scaling up and ready to face our next chapter, SCW 2.0, as the leaders in developer risk management.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
