BillQuick billing software exploit lets hackers deploy ransomware

The now-patched critical zero-day vulnerability also leaked sensitive data from the time and billing platform

Hackers are exploiting a flaw in the BillQuick Web Suite, a time and billing system from BQE Software, to deploy ransomware.

According to a blog post by security researchers at Huntress, cyber criminals were able to exploit CVE-2021-42258 to gain initial access to a US engineering company and deploy ransomware across the victim’s network.

BQE Software has a user base of 400,000 users worldwide. At the time of writing, it's not known who the hackers behind the exploit are.

According to Caleb Stewart, a security researcher for Huntress Labs, researchers were first made aware of the issue when several ransomware “canary files” were tripped within an engineering company’s environment that was managed by one of Huntress’s partners. These files were set up to trigger alerts if they’re changed, moved, or deleted.

Further investigations found Microsoft Defender antivirus alerts indicating malicious activity as the MSSQLSERVER$ service account. This, according to Stewart, indicated the possibility of a web application being exploited to gain initial access. 

“The server in question hosted BillQuick Web Suite 2020 (WS2020), and the connection logs indicated a foreign IP repeatedly sending POST requests to the web server logon endpoint, leading up to the initial compromise,” said Stewart.

The researchers suspected that a bad actor was attempting to exploit BillQuick, so then began a process of reverse engineering of the web application to trace the attacker’s steps. With a local copy of the app, researchers identified concatenated SQL queries.

“Essentially, this function allows a user to control the query that’s sent to the MSSQL database - which in this case, enables blind SQL injection via the application’s main login form,” said Stewart.

Researchers were then able to recreate the victim’s environment and validate simple security tools like sqlmap easily obtained sensitive data from the BillQuick server without authentication.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

“Because these versions of BillQuick used the sa (System Administrator) MSSQL user for database authentication, this SQL injection also allowed the use of the xp_cmdshell procedure to remotely execute code on the underlying Windows operating system,” said Stewart.

The firm has been in contact with BQE Software, which has since patched the flaw. It is still working with the company on “multipleother  security concerns”.

Despite BQE Software’s cooperation, Stewart said other well-established vendors are doing “very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed”.

“In 2021, it’s still extremely common for vendors to sweep cyber security issues under the rug; we have the impression that BQE is taking our feedback seriously,” he added.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

BitMart suspends withdrawals following hack
cryptocurrencies

BitMart suspends withdrawals following hack

6 Dec 2021
Bridging the DevSecOps divide: Spotlight on key relationships
Whitepaper

Bridging the DevSecOps divide: Spotlight on key relationships

3 Dec 2021
Planned Parenthood cyber attack exposes data of 400,000 patients
cyber attacks

Planned Parenthood cyber attack exposes data of 400,000 patients

3 Dec 2021
Bridging the DevSecOps divide: Spotlight on zero trust
Whitepaper

Bridging the DevSecOps divide: Spotlight on zero trust

3 Dec 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021