BillQuick billing software exploit lets hackers deploy ransomware
The now-patched critical zero-day vulnerability also leaked sensitive data from the time and billing platform
Hackers are exploiting a flaw in the BillQuick Web Suite, a time and billing system from BQE Software, to deploy ransomware.
According to a blog post by security researchers at Huntress, cyber criminals were able to exploit CVE-2021-42258 to gain initial access to a US engineering company and deploy ransomware across the victim’s network.
BQE Software has a user base of 400,000 users worldwide. At the time of writing, it's not known who the hackers behind the exploit are.
According to Caleb Stewart, a security researcher for Huntress Labs, researchers were first made aware of the issue when several ransomware “canary files” were tripped within an engineering company’s environment that was managed by one of Huntress’s partners. These files were set up to trigger alerts if they’re changed, moved, or deleted.
Further investigations found Microsoft Defender antivirus alerts indicating malicious activity as the MSSQLSERVER$ service account. This, according to Stewart, indicated the possibility of a web application being exploited to gain initial access.
“The server in question hosted BillQuick Web Suite 2020 (WS2020), and the connection logs indicated a foreign IP repeatedly sending POST requests to the web server logon endpoint, leading up to the initial compromise,” said Stewart.
The researchers suspected that a bad actor was attempting to exploit BillQuick, so then began a process of reverse engineering of the web application to trace the attacker’s steps. With a local copy of the app, researchers identified concatenated SQL queries.
“Essentially, this function allows a user to control the query that’s sent to the MSSQL database - which in this case, enables blind SQL injection via the application’s main login form,” said Stewart.
Researchers were then able to recreate the victim’s environment and validate simple security tools like sqlmap easily obtained sensitive data from the BillQuick server without authentication.
The best defence against ransomware
How ransomware is evolving and how to defend against itFree download
“Because these versions of BillQuick used the sa (System Administrator) MSSQL user for database authentication, this SQL injection also allowed the use of the xp_cmdshell procedure to remotely execute code on the underlying Windows operating system,” said Stewart.
The firm has been in contact with BQE Software, which has since patched the flaw. It is still working with the company on “multipleother security concerns”.
Despite BQE Software’s cooperation, Stewart said other well-established vendors are doing “very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed”.
“In 2021, it’s still extremely common for vendors to sweep cyber security issues under the rug; we have the impression that BQE is taking our feedback seriously,” he added.
Meeting the future of education with confidence
How the switch to digital learning has created an opportunity to meet the needs of every student, alwaysFree Download
The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana
Cost savings and business benefitsFree Download
The business value of the transformative mainframe
Modernising on the mainframeFree Download
Why PCaaS is perfect for modern schoolsFree Download