Cybercriminals are exploiting a vulnerability in BillQuick, the popular billing software. They are making it so that ransomware is spread. Security researchers at Huntress warn about this.
BQE Software’s BillQuick Web Suite versions earlier than 22.0.9.1 has an SQL injection that gives rise to a more serious remote code execution (RCE) risk. The CVE-2021-42258 vulnerability was patched on October 7 (PDF). A lot of systems still have the vulnerability, and it was exploited to get initial access onto the system of an US engineering company before a ransomware attack.
The BQE program has 40,000 users. They are mostly small to medium-sized organizations. The need for people to fix this vulnerability is very important because it can allow someone to steal data from your database without you knowing (by dumping SQL database contents) and also plant malicious code.
A detailed technical analysis by Huntress outlines: With help from our partner, we were able to test if it was easy to get sensitive data from the BillQuick website without authentication. We did this by doing SQL injection on the server. The servers used SA (System Administrator) MSSQL user for database authentication, which allowed us to use xp_cmdshell to remotely execute code on the Windows operating system.
Exploiting the vulnerability is not hard, as an engineering company’s blog post by Huntress shows. The researchers came up with the attack because ransomware warning files were triggered in an engineering company’s environment that was managed by one of its partners.
Initial forensics work led to the discovery of Microsoft Defender antivirus alerts indicating a malicious activity. We found out that a web app was used to hack into the victim’s systems. A server that hosted BillQuick Web Suite 2020 was the initial point of compromise.
Huntress found new vulnerabilities in the BQE’s technology. They have been given a CVE ID, but many details are not public yet. All that is known is that the vulnerabilities were found in the company’s BillQuick and Core products. The Core product is an accounting and invoicing software package all-in-one.