Post

MOVEit Vulnerability Writeup

Posted Updated
By Kenneth Hernandez 2 min read

Around late May, it was released that Progress Software’s MOVEit Transfer service had undergone a zero-day exploit accessing databases via SQL Injection. This zero-day has impacted rougly 2200 organization and nearly 90 million individuals, with those numbers continuing to rise.

What is MOVEit?

MOVEit is a file transfer service by the company Progress that is used by many large organizations consisting of universities, banks, government agencies, corporations, and more. Most individuals impacted by the recent breaches do not use the service directly, but are affiliated with the impacted organizations. For example, the insurance company that someone is signed up with uses the MOVEit Transfer Service on the back-end and is breached. This makes the MOVEit breach a supply-chain issue.

How was MOVEit exploited?

Many servers running the MOVEit file transfer service were internet-facing. This allowed someone with the knowledge to begin probing these servers for access. A zero-day SQL Injection was used as an entry to the servers over the hyper-text transfer protocol (HTTP), the unencrypted version of https. Session manipulation was used as the method of authenticating onto the MOVEit servers. The threat actors were able to use SQL Injection to write a fabricated active session into the database to give them access. The active session was created as a MOVEit user with Admin access. This allowed the threat actors to login to the SYSTEM account and have complete system access.

What is SQL Injection?

SQL Injection is an exploit that tricks an application into exposing information from a database by inserting SQL statements into the entry field. For example a web page using a SQL database may prompt for an account number. In the background the following is being ran

1
2
3

SELECT FirstName, LastName, Balance
FROM Accounts
WHERE AccountNumber = '$account'

The inputted account number replaces ‘$account’ in the above query. Without proper input validation, a malicious user can inject code into that section and reveal information from the database.

Who is responisble for the breaches?

The Cl0p ransomware group was the original group to claim the breaches, but many others have been using the vulnerability.

Crowdstrike Technnical Write-Up

John Hammond Explanation

What To Do If Impacted by Experian

Live Impacted Tally by Emsisoft

Blogs
MOVEit SQL Injection Supply-Chain Vulnerability Research
This post is licensed under CC BY 4.0 by the author.