BillQuick billing software exploited by hackers to deploy ransomware on vulnerable systems. According to the American cybersecurity firm Huntress Labs, the vulnerability has been tracked as CVE-2021-42258, it is an SQL-based injection attack that allows remote code execution and is successfully leveraged to gain initial access to an unnamed U.S. engineering company and mount a ransomware attack.
The popular billing software company has addressed the issue, while other undisclosed security issues which were also identified as part of the investigation are yet to be patched. BQE Software’s products are used across the world by around 400,000 users worldwide.
Caleb Stewart, a threat researcher at Huntress Labs in a write up said, “Hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers. This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.”
The mentioned vulnerability comes from how BillQuick Web Suite 2020 constructs SQL database queries. This enables the attackers to inject a specially-crafted SQL via the application’s login form. This can then be used to remotely spawn a command shell on the underlying Windows operating system and achieve code execution. Making it possible for the software to run as the “System Administrator” user.
Stewart further added, “Hackers are constantly looking for low-hanging fruit and vulnerabilities that can be exploited—and they’re not always poking around in ‘big’ mainstream applications like Office. Sometimes, a productivity tool or even an add-on can be the door that hackers step through to gain access to an environment and carry out their next move.”