The recent attacks on Progress Software’s MoveIT Transfer product have shed light on the threat posed by SQL injection vulnerabilities to organizations of all sizes. Progress Software had disclosed on May 31 a critical SQL injection flaw (CVE-2023-34362) that could allow hackers to gain access to MoveIT Transfer instances. Although patches were issued the same day, various security vendors noted widespread exploitation that started before the disclosure date. Microsoft subsequently attributed the attacks to a criminal organization associated with the Clop ransomware cluster that it calls “Lace Tempest.” Multiple data breaches have been reported in the last week, including Zellis, an HR software company, and the government of Nova Scotia, Canada.
SQL injection vulnerabilities have been used in several significant attacks over the years, including the TalkTalk breach in 2016 and a 2020 zero-day attack on Sophos’ XG Firewall. It has been on the Open Worldwide Application Security Project’s (OWASP) Top Ten list of the most prevalent vulnerability types for many years. According to OWASP, “The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.” Despite the fact that SQL injection flaws are well-known, vendors say they remain a significant security risk to businesses of any size.
John Hammond, senior security researcher, and Chris Cochran, advisory CISO and chief evangelist at Huntress, argue that SQL injections persistently appear on the OWASP Top Ten vulnerability lists due to incidents like those on MoveIT Transfer. Additional SQL injection flaws were discovered in MoveIT Transfer’s web application while examining the code for CVE-2023-34362. These were later fixed and tracked as CVE-2023-35036.
Hammond and Cochran also emphasized several software complexities that contribute to the ongoing problem. First, there are various dependencies in enterprise applications at any given moment. Secondly, updates, patches, and code modifications can introduce unforeseen vulnerabilities. Although SQL input validation and sanitation are the two main methods used to prevent these attacks, they may not be so easy to carry out on all occasions.
Satnam Narang, senior staff research engineer at Tenable, said risks related to SQL injection do not depend on an organization’s size or the web application. “As long as there is a database and user input fields, there’s always a chance that an attacker could find a path towards SQL injection,” Narang said. Caitlin Condon, vulnerability research manager at Rapid7, agreed, adding that MoveIT Transfer, a trendy file transfer option for many businesses, is an excellent target for attacks due to its popularity.
The patch applied for CVE-2023-34362 appears to be efficient, and Condon praised Progress’ incident response during the severe MoveIT Transfer security crisis. “In this case, Progress Software learned about the zero-day vulnerability because it was under active attack. And they did the best thing they could have in that situation: confirmed there was a vulnerability, developed a patch, released a security bulletin with urgent instructions for their customer base, and then worked with industry partners to stay on top of threat intelligence,” Condon said. “All in all, they’ve done an admirable job making the best of a tough situation.”
Meanwhile, MoveIT Transfer customers continue to disclose investigations and cyber attacks. The UK’s Office of Communications and networking company Extreme Networks have all been affected. Security vendors suggest that developers use parameterized queries and sanitized inputs and utilize either static or dynamic application security testing.
Hammond and Cochran suggest that expanding attack surfaces are a real worry for organizations and applications. “In the end, it comes down to time, potential human error, and the complexity associated with covering all bases,” they said.
Organizations of all sizes should take SQL injection vulnerabilities seriously and take concrete measures to protect themselves. These include using secure coding practices, regularly patching software, conducting regular security audits, and more. As the security landscape evolves, it is incumbent upon businesses to keep pace with emerging threats and take proactive measures to maintain their defenses.