Guest OpEd by Gilad David Maayan, CEO and Founder of Agile SEO

The BillQuick attack was an important reminder of the dangers of SQL injection. Attackers discovered a SQL injection flaw in BillQuick software used by over 400,00 organizations and used it to deploy ransomware across customer networks.

I’ll cover the attack, lessons learned, and measures you can take to protect your organization from SQL injection.

What Is SQL Injection?

SQL injection (SQLi) techniques are one of the primary focuses of database security initiatives. They enable attackers to gain unauthorized access to databases by injecting a string of malicious code into the database query.

It can manipulate the SQL code to provide access to protected digital resources, like sensitive data, or execute malicious SQL statements. 

SQL injection is a critical threat included in the OWASP top 10 list of web application security risks. These attacks gain access to intellectual property, administrative credentials, and customer data.

Threat actors using this technique can target any application using SQL databases, such as MySQL and SQL Server. SQL injection attacks powered by automated tools can cause significant damage. 

What Is the BillQuick Attack?

The BillQuick attack was reported by security researchers at Huntress. According to Huntress, threat actors exploited the CVE-2021-42258 vulnerability to gain unauthorized access to a US engineering company. It allowed these actors to deploy ransomware across the network.

BillQuick is a project management software by BQE Software. It includes project management, billing, time-tracking, and accounting features—deployed on-premise or in the cloud. BillQuick Web Suite 2020 constructs SQL database queries.

It is vulnerable because it allows spawning a command shell via the application’s login screen through an SQL injection. 

Threat actors can use the command shell to execute unauthorized commands through the underlying Windows operating system. When this occurs, ransomware can run with Windows system administration privileges.

This issue was addressed in version 22.0.9.1 of BillQuick, released on October 7, 2021. However, eight other undisclosed security issues identified as part of the investigation have not been patched yet. 

BillQuick Vulnerability Analysis

Here is a summary of how the Huntress ThreatOps team discovered the BillQuick vulnerability:

1. The canary trap

The team was managing an engineering company’s environment. Their ransomware canary files were tripped, and the team began investigating the incident.

2. The Defender alert

The team discovered Microsoft Defender antivirus alerts that indicated malicious activity as the MSSQLSERVER$ service account. It led them to suspect a web application was being exploited for initial access. 

3. The suspicious activity

Investigation into the suspected server revealed it hosted BillQuick Web Suite 2020. Additionally, the connection logs revealed that a foreign IP was repeatedly sending POST requests to the webserver logon endpoint leading to the initial compromise.

4. The investigation

The team suspected that a threat actor was attempting to exploit BillQuick, and began reverse-engineering the web application to trace the actor’s steps. They downloaded a free copy of BillQuick from the official site, installed it locally, and started investigating. 

They ran a static analysis of the server-side code and identified concatenated SQL queries. This function allows users to control a query sent to the MSSQL database. In this case, it allowed blind SQL injection through the application’s main login form. 

The team recreated the victim’s environment and validated that simple security tools, such as sqlmap, could easily obtain sensitive data from the BillQuick server without any authentication.

These versions of BillQuick use the system administrator (sa) MSSQL user for database authentication. As a result, SQL injection also enables actors to use xp_cmdshell to execute code on the underlying operating system remotely. 

SQL Injection Prevention

The BillQuick attack is just one example showing how SQL injection can lead to disastrous consequences. Here are techniques you can use to prevent SQL injection attacks in your organization.

Using Parameterized Queries

When writing database queries, developers should use prepared statements with variable binding—also known as parameterized queries. These are easier to write and understand than dynamic queries.

The developer must define the entire SQL code for a parameterized query before passing each parameter to the query. The database can then distinguish between the data and code in any user-supplied input.

Prepared statements prevent attackers from changing the query intent by inserting SQL commands. In rare situations, this coding approach may impact performance, so it might be preferable to use data validation or escaping for user-supplied input in these cases. 

Using Stored Procedures

Stored procedures are an alternative to parameterized queries, although they require safe implementation. While not always secure from SQL injection, they can use standard programming constructs with a similar effect to parameterized queries.

The developer must build automatically parameterized SQL statements, defining and storing the SQL code for stored procedures in the database. The application calls the stored procedures from the database. 

Applying the Principle of Least Privilege

Organizations should secure their applications by ensuring that every user, entity, or process can only access the resources it requires. The principle of least privilege involves applying the appropriate access levels to each employee and system component, restricting access to protected resources. This approach makes it harder for attackers to implement SQL injection. 

Applications rarely need to modify the database structure at runtime, so it makes sense to restrict permissions during runtime and provide increased permissions temporarily during release windows. In SQL databases, the production accounts should execute DML statements but not DDL statements.

For complex databases, designs, permissions should be more granular, with most processes restricted to read-only access. A least-privilege access management strategy ensures that attackers cannot implement adverse changes when infiltrating the network.

Implementing Input Validation Allow Lists

Some parts of an SQL query, including table or column names, are not legal locations for binding variables. For these situations, the best strategy is redesigning the query or validating inputs. For example, the values for table or column names should come from code, not user parameters.

However, user parameter values may be useful for targeting various table and column names. In such situations, it is important to map the parameter values to the legal column or table names to prevent the introduction of unvalidated into the query.

This allow-listing approach is a quick fix, but a full redesign or rewrite is preferable where possible.

Conclusion

In this article, I described the BillQuick attack, in which attackers exploited a SQL injection vulnerability in project management software, using it to deploy ransomware with root privileges.

I also showed several best practices that can help you prevent breaches like the BillQuick attack in your organization:

• Using parameterized queries – most modern databases provide a parameterized queries mechanism which completely prevents SQL injection vulnerabilities.

• Using stored procedures – stored procedures are another way to separate queries from execution logic, and if implemented correctly, can also prevent SQL injection.

• Applying the principle of least privilege – ensuring an application and database have only the minimal required privileges on the host machine, to minimize the impact of a breach.

• Implementing input validation allow lists – this is a last line of defense, ensuring that software code sanitizes user inputs to ensure they match allowed patterns.

I hope this will be useful as you improve your security posture to prevent SQL injection attacks.

About the Author

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

Today he heads Agile SEO, a leading marketing agency in the technology industry.

Related Technologies…

Attivo Networks a Multiple- Award Winner in the 2021 ‘ASTORS’ Awards Program

American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.

Attivo Networks (First of Three)

Best Identity Detection & Response Solution

• IDR Suite of Products

• Attivo Networks®, a leader in identity detection and response, has expanded its portfolio to include cloud identity security.

  Organizations provision human and non-human identities (applications, virtual machines, serverless functions, and such) on the network and in the cloud, which attackers target early in the attack cycle to progress their attacks. 

• By stealing these identities, they can impersonate authorized users, access resources, move laterally throughout the network and cloud environments, conduct reconnaissance, elevate privileges, identify targets, and compromise data.

• While many tools intend to keep networks secure, Identity Detection and Response (IDR) gives organizations a critical new weapon in their arsenal to find and fix credential and entitlement weaknesses and detect live attacks on a real-time basis.

• As modern cybercriminals attempt to exploit vulnerable credentials and entitlements to move through networks undetected, IDR solutions play a meaningful role in stopping them, whereas other tools simply cannot.

• Attivo Networks IDR Suite of Products can seamlessly extend to the cloud and deliver detailed entitlement visibility for identities – including users, applications, containers, serverless functions, and other assets.

Attivo Networks (Second of Three)

Best Intrusion Detection & Prevention Solution

• IDR Suite of Products

• Attack surfaces have expanded dramatically with the shift toward remote work putting identity at the forefront of security, a major shift from traditional perimeter-based strategies.

• Organizations must now defend identities across the entire enterprise with identity-based, least-privilege access programs and defenses capable of detecting attack escalation and lateral movement on-premises and in the cloud.

• Attivo Networks has leveraged its deep experience in privilege escalation and lateral movement detection to become a significant player in the Identity Detection and Response space.

• In the last year, the company has secured its leadership position based on its broad portfolio of capabilities that focus on unprecedented visibility to exposures and misconfigurations of identities and entitlements and early detection of credential theft, misuse, and privileged escalation activities.

(The Attivo ThreatDefend® Platform delivers unparalleled attack prevention, detection, and adversary intelligence collection based on cyber deception and data concealment technologies for an informed defense. The platform efficiently derails attacker discovery, lateral movement, privilege escalation, and collection activities early in the attack cycle across endpoints, Active Directory, and network devices on-premises, in clouds, and on specialized attack surfaces. Courtesy of Attivo Networks and YouTube.)

Attivo Networks (Third of Three)

Best Cloud Security Solution

• IDEntitleX

• IDEntitleX is Attivo Networks’ Cloud Infrastructure Entitlement (CIEM) solution, which provides unprecedented visibility for cloud permissions management.

• Customers gain actionable visibility to cloud identity risks and entitlement exposures so they can address risky entitlements and drift from security policies.

• This solution makes it easy to identify and reduce risk by providing intuitive and interactive graphical visualizations for cloud identities, roles/permissions, and resources.

• Defenders now gain the visibility needed to see misconfigurations and excess permissions attackers can leverage to create attack paths and persistence within the cloud environment.

*Attivo Networks is also a Returning Premier Sponsor of the Annual ‘ASTORS’ Homeland Security Awards Program for the Fourth Year, and a Multi-Platinum Award Winner in the 2020, 2019, 2018, and 2017 ‘ASTORS’ Awards Programs.

Through cyber visibility programs, deception, and conditional access tactics, the Attivo ThreatDefend® Platform offers a customer-proven, scalable solution for denying, detecting, and derailing attackers and reducing attack surfaces without relying on signatures.

The portfolio provides patented innovative defenses at critical points of attack, including at endpoints, in Active Directory, in the cloud, and across the entire network by preventing and misdirecting attack activity.

Forensics, automated attack analysis, and third-party integrations streamline incident response.

Deception as a defense strategy continues to grow and is an integral part of NIST Special Publications and MITRE® Shield, and its capabilities tightly align to the MITRE Engage™ Framework.

Attivo has won over 180 awards for its technology innovation and leadership.

In addition to the Platinum Award, Attivo Networks also won a much-coveted 2021 ‘ASTORS’ Extraordinary Leadership & Innovation Award, in recognition of their best-in-class cybersecurity and identity security platform in the global marketplace.