A critical SQL injection bug that exists in the BillQuick Web Suite has been exploited by an unknown ransomware group. The billing system developed by BQE Software is believed to have 400,000 users worldwide.

What has happened?

Recently, an engineering company based in the U.S. was targeted by unknown ransomware that exploited a vulnerability in the BillQuick server
  • The attacker targeted a critical vulnerability, tracked as CVE-2021-42258, and attempted to gain initial access to the company network.
  • This vulnerability allows attackers to access the customers' BillQuick data and run malicious commands on the underlying Windows server.

About the vulnerability

  • It is an SQL injection vulnerability in the BillQuick server that can be triggered simply by using login requests with invalid characters in the username field. 
  • The vulnerability was patched in WebSuite 2021 version 22.0.9.1 on October 7 after Huntress Labs alerted BQE Software about the bug.

Additional analysis

To analyze the incident, researchers re-created a SQL injection-based attack and claimed that an attacker can access customers' BillQuick data and execute malicious commands on Windows servers on-premises.

However, no relationship could be established between the threat actor behind the attack with any other known threat group. According to the researcher, the attacker can be a smaller actor or group based on their behavior during exploitation.

Conclusion

Cybercriminals never lose any opportunity to exploit a zero-day vulnerability that exists in popular software. However, they are now exploiting flaws in productivity tools or even an add-on. It's recommended to apply the latest security patches and regularly update software.
Cyware Publisher

Publisher

Cyware