Recent attacks that exploited a zero-day vulnerability in Progress Software's MoveIT Transfer product have highlighted the threat SQL injection flaws pose to organizations of all sizes.
On May 31, Progress disclosed a critical SQL injection vulnerability, tracked as CVE-2023-34362, that could let attackers gain access to MoveIT Transfer instances. Patches were released later that day, but security vendors soon reported widespread exploitation that began prior to the disclosure date. Microsoft then attributed the attacks to a threat actor associated with the Clop ransomware group it calls "Lace Tempest." Multiple data breach victims emerged last week, such as HR software provider Zellis and the government of Nova Scotia, Canada.
SQL injection flaws have been exploited in several notable threats over the years, including a 2016 breach of British telecom firm TalkTalk and 2020 zero-day attacks on Sophos' XG Firewall. The vulnerability type has made Open Worldwide Application Security Project's (OWASP) Top Ten list for years. While SQL injection flaws are widely known, vendors say they continue to pose a significant security risk to enterprises regardless of size and resources.
"The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind," OWASP wrote. "The severity of SQL Injection attacks is limited by the attacker's skill and imagination."
John Hammond, senior security researcher, and Chris Cochran, advisory CISO and chief evangelist -- both at Huntress -- said SQL injections consistently appear in the OWASP Top Ten of application vulnerabilities because incidents like MoveIT Transfer keep popping up.
In fact, additional SQL injection flaws within MoveIt Transfer emerged last week. While examining the code for CVE-2023-34362, Huntress discovered additional SQL injection bugs, now tracked as CVE-2023-35036, in the MoveIT Transfer web application as well. In an updated advisory on June 9, Progress urged all MoveIT Transfer customers to apply the new patch on top of the previous one.
Hammond and Cochran highlighted several software complexities that contribute to the ongoing problem. For one, there are several dependencies in enterprise applications at any point in time. Secondly, updates, patches and code changes can introduce unforeseen vulnerabilities.
While SQL input validation and sanitation are two primary methods to defend against these attacks, Hammond and Cochran said it's not always an easy process.
"In this case, there are multiple spots in the MoveIT Transfer code base where they properly handle database transactions the 'right way' and the safe way. But there are also numerous spots that do it the 'wrong way' that are vulnerable to injection," Hammond and Cochran said in an email statement to TechTarget Editorial.
The "wrong way" refers to how user input is handled. If the user input for an application isn't handled safely, the backend database may confuse data for code and run commands based off the user input, Hammond and Cochran warned.
"This is an example of just 'concatenating,' or adding user input to raw database queries without validation or sanitization. That's the 'wrong way' because it blindly trusts the user to supply safe information, which a threat actor or adversary certainly won't. They'll abuse the functionality and take advantage of the vulnerability that the industry calls SQL injection," Hammond and Cochran said.
Satnam Narang, senior staff research engineer at Tenable, said SQL injection risks don't coincide with the size of an organization or the web application. "As long as there is a database and user input fields, there's always a chance that an attacker could find a path towards SQL injection," Narang said in an email to TechTarget Editorial.
Caitlin Condon, vulnerability research manager at Rapid7, agreed that the size of a company doesn't prevent its products from being the target of a zero-day attack. MoveIT Transfer is a popular file sharing option across many large organizations. Its popularity makes it a high value target for attacks, she said.
Progress's response to MoveIT Transfer attacks
The applied patch for CVE-2023-34362 appears to be effective, and Condon applauded Progress's incident response during the grave MoveIT Transfer security situation.
"In this case, Progress Software learned about the zero-day vulnerability because it was under active attack. And they did the best thing they could have in that situation: confirmed there was a vulnerability, developed a patch, released a security bulletin with urgent instructions for their customer base, and then worked with industry partners to stay on top of threat intelligence," Condon said. "All in all, they've done an admirable job making the best of a tough situation.
While Progress's initial advisory did not warn of any exploitation in the wild, Condon said Progress disclosed that the vulnerability was being exploited in the wild in a timely manner. Rapid7 research teams abide by a 72-hour timeline after discovering a vulnerability in third-party software that's being exploited in the wild. Progress met that standard, she said, which was "no small feat."
"The earliest date we tracked exploitation back to was May 27, which was in the middle of a holiday weekend for the U.S. The Progress Software advisory was published May 31, which means that judging by all available evidence, they released fixes across multiple product versions and delivered emergency communications in roughly two business days," Condon said.
With Progress' swift response, Condon said the onus is now on MoveIt Transfer customers to make sure they've patched their instances. If organizations still aren't patching and exploitation continues to succeed, then she'd attribute the attacks to vulnerability management problems on the part of affected businesses.
As of June 12, MoveIT Transfer customers continue to disclose investigations and attacks, including the U.K.'s Office of Communications and networking vendor Extreme Networks.
The security vendors offered recommendations to tackle the significant SQL injection threat. For developers, Narang said parameterized queries, also known as prepared statements, and sanitized inputs as well as static application security testing or dynamic application security testing can be helpful.
Specific to the MoveIT Transfer attacks, Condon said the attackers left artifacts in targeted systems that are relatively easy for affected organizations to identify in forensic investigations.
Hammond and Cochran said that expanding attack surfaces are a real concern for organizations and applications alike. "In the end, it comes down to time, potential human error and the complexity associated with covering all bases."