Guest OpEd by Gilad David Maayan, CEO and Founder of Agile SEO
The BillQuick attack was an important reminder of the dangers of SQL injection. Attackers discovered a SQL injection flaw in BillQuick software used by over 400,00 organizations and used it to deploy ransomware across customer networks.
I’ll cover the attack, lessons learned, and measures you can take to protect your organization from SQL injection.
What Is SQL Injection?
SQL injection (SQLi) techniques are one of the primary focuses of database security initiatives. They enable attackers to gain unauthorized access to databases by injecting a string of malicious code into the database query.
It can manipulate the SQL code to provide access to protected digital resources, like sensitive data, or execute malicious SQL statements.
SQL injection is a critical threat included in the OWASP top 10 list of web application security risks. These attacks gain access to intellectual property, administrative credentials, and customer data.
Threat actors using this technique can target any application using SQL databases, such as MySQL and SQL Server. SQL injection attacks powered by automated tools can cause significant damage.
What Is the BillQuick Attack?
The BillQuick attack was reported by security researchers at Huntress. According to Huntress, threat actors exploited the CVE-2021-42258 vulnerability to gain unauthorized access to a US engineering company. It allowed these actors to deploy ransomware across the network.
BillQuick is a project management software by BQE Software. It includes project management, billing, time-tracking, and accounting features—deployed on-premise or in the cloud. BillQuick Web Suite 2020 constructs SQL database queries.
It is vulnerable because it allows spawning a command shell via the application’s login screen through an SQL injection.
Threat actors can use the command shell to execute unauthorized commands through the underlying Windows operating system. When this occurs, ransomware can run with Windows system administration privileges.
This issue was addressed in version 220.127.116.11 of BillQuick, released on October 7, 2021. However, eight other undisclosed security issues identified as part of the investigation have not been patched yet.
BillQuick Vulnerability Analysis
Here is a summary of how the Huntress ThreatOps team discovered the BillQuick vulnerability:
The canary trap
The team was managing an engineering company’s environment. Their ransomware canary files were tripped, and the team began investigating the incident.
The Defender alert
The team discovered Microsoft Defender antivirus alerts that indicated malicious activity as the MSSQLSERVER$ service account. It led them to suspect a web application was being exploited for initial access.
The suspicious activity
Investigation into the suspected server revealed it hosted BillQuick Web Suite 2020. Additionally, the connection logs revealed that a foreign IP was repeatedly sending POST requests to the webserver logon endpoint leading to the initial compromise.
The team suspected that a threat actor was attempting to exploit BillQuick, and began reverse-engineering the web application to trace the actor’s steps. They downloaded a free copy of BillQuick from the official site, installed it locally, and started investigating.
They ran a static analysis of the server-side code and identified concatenated SQL queries. This function allows users to control a query sent to the MSSQL database. In this case, it allowed blind SQL injection through the application’s main login form.
The team recreated the victim’s environment and validated that simple security tools, such as sqlmap, could easily obtain sensitive data from the BillQuick server without any authentication.
These versions of BillQuick use the system administrator (sa) MSSQL user for database authentication. As a result, SQL injection also enables actors to use xp_cmdshell to execute code on the underlying operating system remotely.
SQL Injection Prevention
The BillQuick attack is just one example showing how SQL injection can lead to disastrous consequences. Here are techniques you can use to prevent SQL injection attacks in your organization.
Using Parameterized Queries
When writing database queries, developers should use prepared statements with variable binding—also known as parameterized queries. These are easier to write and understand than dynamic queries.
The developer must define the entire SQL code for a parameterized query before passing each parameter to the query. The database can then distinguish between the data and code in any user-supplied input.
Prepared statements prevent attackers from changing the query intent by inserting SQL commands. In rare situations, this coding approach may impact performance, so it might be preferable to use data validation or escaping for user-supplied input in these cases.
Using Stored Procedures
Stored procedures are an alternative to parameterized queries, although they require safe implementation. While not always secure from SQL injection, they can use standard programming constructs with a similar effect to parameterized queries.
The developer must build automatically parameterized SQL statements, defining and storing the SQL code for stored procedures in the database. The application calls the stored procedures from the database.
Applying the Principle of Least Privilege
Organizations should secure their applications by ensuring that every user, entity, or process can only access the resources it requires. The principle of least privilege involves applying the appropriate access levels to each employee and system component, restricting access to protected resources. This approach makes it harder for attackers to implement SQL injection.
Applications rarely need to modify the database structure at runtime, so it makes sense to restrict permissions during runtime and provide increased permissions temporarily during release windows. In SQL databases, the production accounts should execute DML statements but not DDL statements.
For complex databases, designs, permissions should be more granular, with most processes restricted to read-only access. A least-privilege access management strategy ensures that attackers cannot implement adverse changes when infiltrating the network.
Implementing Input Validation Allow Lists
Some parts of an SQL query, including table or column names, are not legal locations for binding variables. For these situations, the best strategy is redesigning the query or validating inputs. For example, the values for table or column names should come from code, not user parameters.
However, user parameter values may be useful for targeting various table and column names. In such situations, it is important to map the parameter values to the legal column or table names to prevent the introduction of unvalidated into the query.
This allow-listing approach is a quick fix, but a full redesign or rewrite is preferable where possible.
In this article, I described the BillQuick attack, in which attackers exploited a SQL injection vulnerability in project management software, using it to deploy ransomware with root privileges.
I also showed several best practices that can help you prevent breaches like the BillQuick attack in your organization:
Using parameterized queries – most modern databases provide a parameterized queries mechanism which completely prevents SQL injection vulnerabilities.
Using stored procedures – stored procedures are another way to separate queries from execution logic, and if implemented correctly, can also prevent SQL injection.
Applying the principle of least privilege – ensuring an application and database have only the minimal required privileges on the host machine, to minimize the impact of a breach.
Implementing input validation allow lists – this is a last line of defense, ensuring that software code sanitizes user inputs to ensure they match allowed patterns.
I hope this will be useful as you improve your security posture to prevent SQL injection attacks.
About the Author
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
Today he heads Agile SEO, a leading marketing agency in the technology industry.
Attivo Networks a Multiple- Award Winner in the 2021 ‘ASTORS’ Awards Program
American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.
Attivo Networks (First of Three)
Best Identity Detection & Response Solution
Attivo Networks®, a leader in identity detection and response, has expanded its portfolio to include cloud identity security.
Organizations provision human and non-human identities (applications, virtual machines, serverless functions, and such) on the network and in the cloud, which attackers target early in the attack cycle to progress their attacks.
By stealing these identities, they can impersonate authorized users, access resources, move laterally throughout the network and cloud environments, conduct reconnaissance, elevate privileges, identify targets, and compromise data.
While many tools intend to keep networks secure, Identity Detection and Response (IDR) gives organizations a critical new weapon in their arsenal to find and fix credential and entitlement weaknesses and detect live attacks on a real-time basis.
As modern cybercriminals attempt to exploit vulnerable credentials and entitlements to move through networks undetected, IDR solutions play a meaningful role in stopping them, whereas other tools simply cannot.
Attivo Networks IDR Suite of Products can seamlessly extend to the cloud and deliver detailed entitlement visibility for identities – including users, applications, containers, serverless functions, and other assets.
Attivo Networks (Second of Three)
Best Intrusion Detection & Prevention Solution
Attack surfaces have expanded dramatically with the shift toward remote work putting identity at the forefront of security, a major shift from traditional perimeter-based strategies.
Organizations must now defend identities across the entire enterprise with identity-based, least-privilege access programs and defenses capable of detecting attack escalation and lateral movement on-premises and in the cloud.
Attivo Networks has leveraged its deep experience in privilege escalation and lateral movement detection to become a significant player in the Identity Detection and Response space.
In the last year, the company has secured its leadership position based on its broad portfolio of capabilities that focus on unprecedented visibility to exposures and misconfigurations of identities and entitlements and early detection of credential theft, misuse, and privileged escalation activities.
(The Attivo ThreatDefend® Platform delivers unparalleled attack prevention, detection, and adversary intelligence collection based on cyber deception and data concealment technologies for an informed defense. The platform efficiently derails attacker discovery, lateral movement, privilege escalation, and collection activities early in the attack cycle across endpoints, Active Directory, and network devices on-premises, in clouds, and on specialized attack surfaces. Courtesy of Attivo Networks and YouTube.)
Attivo Networks (Third of Three)
Best Cloud Security Solution
IDEntitleX is Attivo Networks’ Cloud Infrastructure Entitlement (CIEM) solution, which provides unprecedented visibility for cloud permissions management.
Customers gain actionable visibility to cloud identity risks and entitlement exposures so they can address risky entitlements and drift from security policies.
This solution makes it easy to identify and reduce risk by providing intuitive and interactive graphical visualizations for cloud identities, roles/permissions, and resources.
Defenders now gain the visibility needed to see misconfigurations and excess permissions attackers can leverage to create attack paths and persistence within the cloud environment.
*Attivo Networks is also a Returning Premier Sponsor of the Annual ‘ASTORS’ Homeland Security Awards Program for the Fourth Year, and a Multi-Platinum Award Winner in the 2020, 2019, 2018, and 2017 ‘ASTORS’ Awards Programs.
Through cyber visibility programs, deception, and conditional access tactics, the Attivo ThreatDefend® Platform offers a customer-proven, scalable solution for denying, detecting, and derailing attackers and reducing attack surfaces without relying on signatures.
The portfolio provides patented innovative defenses at critical points of attack, including at endpoints, in Active Directory, in the cloud, and across the entire network by preventing and misdirecting attack activity.
Forensics, automated attack analysis, and third-party integrations streamline incident response.
Deception as a defense strategy continues to grow and is an integral part of NIST Special Publications and MITRE® Shield, and its capabilities tightly align to the MITRE Engage™ Framework.
Attivo has won over 180 awards for its technology innovation and leadership.
In addition to the Platinum Award, Attivo Networks also won a much-coveted 2021 ‘ASTORS’ Extraordinary Leadership & Innovation Award, in recognition of their best-in-class cybersecurity and identity security platform in the global marketplace.
The United States was forever changed 20 years ago on September 11th, and we were fortunate to have many of those who responded to those horrific tragedies join us at the 2021 ‘ASTORS’ Awards Luncheon.In the days that followed 9/11, the critical needs of protecting our country catapulted us into new and innovative ways to secure our homeland – which is how many of the agencies and enterprise organizations that are today ‘ASTORS’ Awards Champions, came into being.
Our 2021 keynote speaker featured a moving and informative address from TSA Administrator and Vice-Admiral of the United States Coast Guard (Ret), David Pekoske; to our attendees who traveled from across the United States and abroad, on the strategic priorities of the 64,000 member TSA workforce in securing the transportation system, enabling safe, and in many cases, contactless travel.
Legendary Police Commissioner William Bratton of the New York Police Department, the Boston Police Department, and former Chief of the Los Angeles Police Department was also live at the event, meeting with attendees and signing copies of his latest work ‘The Profession: A Memoir of Community, Race, and the Arc of Policing in America,’ courtesy of the generosity of our 2021 ‘ASTORS’ Awards Premier Sponsors.
The 2022 ‘ASTORS’ Awards Program is Proudly Sponsored by New PLATINUM SPONSOR: NEC National Security Systems (NSS), New Premier Sponsors Rajant Corporation, and guardDog AI, and returning Sponsors to date, Automatic Systems, RX Global, and SIMS Software!
The continually evolving ‘ASTORS’ Awards Program will emphasize the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders. #MentorshipMatters
So be on the lookout for exciting upcoming announcements of Speakers, Presenters, Book Signing Opportunities, and Attendees at the 2022 ‘ASTORS’ Awards Presentation Luncheon in November of 2022 in New York City!
Nominations are currently being accepted for the 2022 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.
|Access Control/ Identification||Personal/Protective Equipment||Law Enforcement Counter Terrorism|
|Perimeter Barrier/ Deterrent System||Interagency Interdiction Operation||Cloud Computing/Storage Solution|
|Facial/IRIS Recognition||Body Worn Video Product||Cyber Security|
|Video Surveillance/VMS||Mobile Technology||Anti-Malware|
|Audio Analytics||Disaster Preparedness||ID Management|
|Thermal/Infrared Camera||Mass Notification System||Fire & Safety|
|Metal/Weapon Detection||Rescue Operations||Critical Infrastructure|
|License Plate Recognition||Detection Products||COVID Innovations|
|Workforce Management||Government Security Programs||And Many Others to Choose From!|
Don’t see a Direct Hit for your Product, Agency or Organization?
Submit your category recommendation for consideration to Michael Madsen, AST Publisher at: email@example.com.
In 2021 over 200 distinguished guests representing Federal, State and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields which included:
- The Transportation Security Administration (TSA)
- ICE Homeland Security Investigations (ICE HSI)
- Customs & Border Protection (CBP)
- The Federal Protective Service (FPS)
- Argonne National Laboratory (ANL)
- DHS Science & Technology (S&T)
- The National Center for Disaster Medicine & Public Health (NCDMPH)
- The American Red Cross
- The InfraGard National Alliance
- The Metropolitan Police (MPD)
- The U.S. Fire Administration (USFA)
- Naval Postgraduate School Center for Homeland Defense and Security (CHDS)
- The Federal Air Marshals Service
- The San Diego Harbor Police Foundation, and Many More!
Corporate firms, the majority of which return year to year to build upon their record of accomplishment include:
AlertMedia, Allied Universal, AMAROK, ATI Systems, Attivo Networks, Axis Communications, Automatic Systems of America, BriefCam, Canon U.S.A., Fortior Solutions, guardDog.ai, Hanwha Techwin of America, HID Global, Mark43, IPVideo Corporation, Konica Minolta Business Solutions, Lumina Analytics, NEC National Security Systems, NICE Public Safety, OnSolve, PureTech Systems, Quantum Corporation, Rave Mobile Safety, Regroup Mass Notification, Robotic Assistance Devices, Rajant Corporation, SafeLogic, Senstar Corporation, ShotSpotter, Singlewire Software, SolarWinds Worldwide, Teledyne FLIR, Valor Systems, and Wiresecure, just to name a few!
Why American Security Today?
American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.
American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.
Harness the Power of the Web – with our 100% Mobile Friendly Publications
AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.
‘PROTECTING OUR NATION, ONE CITY AT A TIME’
AST Reaches both Private & Public Experts, essential to meeting these new challenges.
Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.
These experts are from Government at the federal, state, and local level as well as from private firms allied to the government.
AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.
AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.
Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.
(See just a few highlights of American Security Today’s 2021 ‘ASTORS’ Awards Presentation Luncheon at ISC East. Courtesy of My Pristine Images and Vimeo.)
To learn more about ‘ASTORS’ Homeland Security Award Winners solutions, please see the 2021 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2021 ‘A Year in Review’.
The Annual CHAMPIONS edition includes a review of Annual ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.
It serves as your Go-To Source throughout the year for ‘The Best of 2021 Products and Services‘ endorsed by American Security Today, and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.
From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware and Networking Security – Just to name a few), the 2021 ‘ASTORS’ CHAMPIONS EDITION has what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.
It also includes featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2021 ‘ASTORS’ Awards Program.
For a complete list of 2021 ‘ASTORS’ Award Winners, begin HERE.
For more information on All Things American Security Today, as well as the 2021 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at firstname.lastname@example.org.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos