Deep-Dive: Up close and personal with the MOVEit zero-day vulnerability
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Secure by Design: Defining Best Practices, Enabling Developers and Benchmarking Preventative Security Outcomes
In this research paper, Secure Code Warrior co-founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., along with expert contributors, Chris Inglis, Former US National Cyber Director (now Strategic Advisor to Paladin Capital Group), and Devin Lynch, Senior Director, Paladin Global Institute, will reveal key findings from over twenty in-depth interviews with enterprise security leaders including CISOs, a VP of Application Security, and software security professionals.
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
Finding meaningful data on the success of Secure-by-Design initiatives is notoriously difficult. CISOs are often challenged when attempting to prove the return on investment (ROI) and business value of security program activities at both the people and company levels. Not to mention, it’s particularly difficult for enterprises to gain insights into how their organizations are benchmarked against current industry standards. The President’s National Cybersecurity Strategy challenged stakeholders to “embrace security and resilience by design.” The key to making Secure-by-Design initiatives work is not only giving developers the skills to ensure secure code, but also assuring the regulators that those skills are in place. In this presentation, we share a myriad of qualitative and quantitative data, derived from multiple primary sources, including internal data points collected from over 250,000 developers, data-driven customer insights, and public studies. Leveraging this aggregation of data points, we aim to communicate a vision of the current state of Secure-by-Design initiatives across multiple verticals. The report details why this space is currently underutilized, the significant impact a successful upskilling program can have on cybersecurity risk mitigation, and the potential to eliminate categories of vulnerabilities from a codebase.
Secure code training topics & content
Our industry-leading content is always evolving to fit the ever changing software development landscape with your role in mind. Topics covering everything from AI to XQuery Injection, offered for a variety of roles from Architects and Engineers to Product Managers and QA. Get a sneak peak of what our content catalog has to offer by topic and role.
Resources to get you started
Revealed: How the Cyber Industry Defines Secure by Design
In our latest white paper, our Co-Founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., sat down with over twenty enterprise security leaders, including CISOs, AppSec leaders and security professionals, to figure out the key pieces of this puzzle and uncover the reality behind the Secure by Design movement. It’s a shared ambition across the security teams, but no shared playbook.
Is Vibe Coding Going to Turn Your Codebase Into a Frat Party?
Vibe coding is like a college frat party, and AI is the centerpiece of all the festivities, the keg. It’s a lot of fun to let loose, get creative, and see where your imagination can take you, but after a few keg stands, drinking (or, using AI) in moderation is undoubtedly the safer long-term solution.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
