MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do
Last week, Progress Software Corporation alerted its customers of its MOVEit Transfer and related MOVEit Cloud products about a critical vulnerability dubbed CVE-2023-34362. MOVEit Transfer is a system that provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting, making it easy for users to store and share files throughout a team, a department, or a company.
Unfortunately, MOVEit‘s web-based front-end turned out to have a SQL injection vulnerability. In web-based SQL injection vulnerabilities, an HTTP request that is submitted to a web server is converted insecurely into a query command issued by the server to do a database lookup to work out what HTTP reply to construct. This vulnerability affects MOVEit‘s SQL back-end databases and has already been exploited by data breach gangs. In this report, we will discuss the how, the why, and what to do about this vulnerability.
How Does a Web-Based SQL Injection Attack Work?
For example, a database search triggered from a web page might end up as a URL requested by your browser that looks like this:
https://search.example.com/?type=file&name=duck
The query text “duck” could then be extracted from the name parameter in the URL, converted into database query syntax, and stitched into a command to submit to the database server. If the backend data is stored in a SQL database, the web server might convert the URL into a SQL command like the one shown below:
SELECT filename FROM filesdb WHERE name LIKE ‘%duck%’
The % characters added to the text “duck” mean that the search term can appear anywhere in the retrieved filename, and the single quote characters at each end are added as markers to denote a SQL text string.
The web server needs to be careful with the filenames submitted as a search term in case a malicious user creates and requests a URL like this:
https://search.example.com/?type=file&name=duck’;DROP table filesdb;–
The search term “duck’;DROP table filesdb;–” will trick the web server into sending the SQL server a command like,
SELECT filename FROM filesdb WHERE name LIKE ‘%duck’;DROP TABLE filesdb;–%’
Because a semicolon acts as a statement separator in SQL, this single-line command is the same as sending three consecutive commands:
SELECT filename FROM filesdb WHERE name LIKE ‘%duck’ –matches names ending duck
DROP TABLE filesdb –deletes the whole database
The injected “close quote” character terminates the search string early, allowing two injected commands to follow. The first extra command is the destructive DROP TABLE instruction. The second is a “comment command” that causes the rest of the line to be ignored, thus eating up the trailing “%’ characters generated by the server’s command generator, which would otherwise have caused a syntax error and prevented the injected DROP TABLE command from working.
Web-based SQL injection attacks cause an additional SQL command to be injected into the handling of the request.
Why Does This Matter?
The vulnerability could cause a range of possible outcomes, such as deletion of existing data, exfiltration of data, modification of data, or implantation of new files, including malware. The vulnerability was a zero-day, meaning that Progress found out about it because the bad guys had already been exploiting it, leaving businesses exposed to attacks.
Webshells provide a way for attackers who can add new files to web servers to come back later, break in at their leisure, and parlay that write-only access into complete remote control. Cybercriminals can implant webshells using SQL commands, and through webshells, they can run their malware in the network using nothing more suspicious than an unassuming HTTP request made by an everyday web browser.
What to Do?
- If you use the cloud version, you’re automatically up-to-date, and if you are running MOVEit on your own network, ensure that you have already patched it.
- If you can’t patch, turn off the web-based (HTTP and HTTP) interfaces to your MOVEit servers until you can.
- Search your logs for newly added web server files, newly created user accounts, and unexpectedly large data downloads.
- Use sanitization in your database inputs, meaning that you need to take great care not to allow the person submitting the search term to control how the search command gets interpreted by the backend servers involved.
- If you’re a programmer, used parameterized queries, rather than generating query commands containing characters controlled by the person sending the request.
- If you’re a MOVEit user, make sure all instances of the software on your network are patched.
- Don’t forget to review your access logs in general, and if you don’t have time to do it yourself, don’t be afraid to ask for help!
Editorial
The use of web-based SQL injections has turned out to be a widespread practice among cybercriminals. The incident at Progress Software Corporation highlights how serious the consequences can be and, more importantly, the public’s need to pay attention to these basic security practices. It serves as a reminder to all businesses to ensure that their database inputs are sanitized, to use parameterized queries, and to audit their databases regularly. Zero-day vulnerabilities like this are frightening, considering that the cybercriminals have been exploiting them before the vendor even became aware of them.
Philosophical Discussion
The issue of cybersecurity can be traced back to the philosophical discussions about what constitutes a responsible society and how the risk of any breakdown should be allocated among various groups. Business owners, policymakers, and the public, in general, have a responsibility to understand the risks associated with cybersecurity and take steps to minimize their exposure to cyber threats. Given that businesses collect large amounts of data and rely on the internet and technology, cybersecurity becomes essential to sustaining their operations in a trusted and responsible way.
Internet Security and Advice
As cybersecurity threats become increasingly sophisticated, businesses and individuals must remain vigilant to avoid becoming liable. It is essential to remember that prevention is always better than cure. The following tips can help protect against web-based SQL injection attacks:
- Ensure all software on your network is up to date.
- Audit databases regularly to detect any suspicious activities.
- Ensure that all inputs are properly sanitized.
- Use parameterized queries to enhance security.
- Avoid JavaScript and similar technologies that can disrupt the normal workings of your site.
- Train employees on secure coding and server administration techniques.
- Conduct regular security audits and penetration testing to test your defenses.
- Follow the latest security news and trends.
<< photo by Mati Mango >>
You might want to read !
- “Why Cybersecurity Vulnerabilities Require Urgent Attention: A Call to Action for Zyxel Customers to Patch Firewalls Now”
- “The State of SaaS Security: Examining the Future in the 2024 Annual Report”
- The Future of Software Supply Chain Security: SBOMs as a Dream or Reality?
- “Gigabyte Patches Security Hole with BIOS Updates for Motherboards”
- Exploring the Dark Side of Cyber Attacks: The MOVEit Exploit and Ransomware Group Targeting Organizations
- The Middle Ground: Balancing Technology and Education for Sustainable Security
- “Assessing the Impact: Splunk Enterprise’s Recent Patch for High-Severity Vulnerabilities”