IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

BillQuick billing software exploit lets hackers deploy ransomware

The now-patched critical zero-day vulnerability also leaked sensitive data from the time and billing platform

Hackers are exploiting a flaw in the BillQuick Web Suite, a time and billing system from BQE Software, to deploy ransomware.

According to a blog post by security researchers at Huntress, cyber criminals were able to exploit CVE-2021-42258 to gain initial access to a US engineering company and deploy ransomware across the victim’s network.

BQE Software has a user base of 400,000 users worldwide. At the time of writing, it's not known who the hackers behind the exploit are.

According to Caleb Stewart, a security researcher for Huntress Labs, researchers were first made aware of the issue when several ransomware “canary files” were tripped within an engineering company’s environment that was managed by one of Huntress’s partners. These files were set up to trigger alerts if they’re changed, moved, or deleted.

Further investigations found Microsoft Defender antivirus alerts indicating malicious activity as the MSSQLSERVER$ service account. This, according to Stewart, indicated the possibility of a web application being exploited to gain initial access. 

“The server in question hosted BillQuick Web Suite 2020 (WS2020), and the connection logs indicated a foreign IP repeatedly sending POST requests to the web server logon endpoint, leading up to the initial compromise,” said Stewart.

The researchers suspected that a bad actor was attempting to exploit BillQuick, so then began a process of reverse engineering of the web application to trace the attacker’s steps. With a local copy of the app, researchers identified concatenated SQL queries.

“Essentially, this function allows a user to control the query that’s sent to the MSSQL database - which in this case, enables blind SQL injection via the application’s main login form,” said Stewart.

Researchers were then able to recreate the victim’s environment and validate simple security tools like sqlmap easily obtained sensitive data from the BillQuick server without authentication.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

“Because these versions of BillQuick used the sa (System Administrator) MSSQL user for database authentication, this SQL injection also allowed the use of the xp_cmdshell procedure to remotely execute code on the underlying Windows operating system,” said Stewart.

The firm has been in contact with BQE Software, which has since patched the flaw. It is still working with the company on “multipleother  security concerns”.

Despite BQE Software’s cooperation, Stewart said other well-established vendors are doing “very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed”.

“In 2021, it’s still extremely common for vendors to sweep cyber security issues under the rug; we have the impression that BQE is taking our feedback seriously,” he added.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide
Whitepaper

CIAM buyer’s guide

6 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022