Critical Vulnerability Discovered in BillQuick Billing Software Exploited by Ransomware Actors
Cybersecurity experts revealed a serious vulnerability in the BillQuick time and billing software, which has been actively targeted by threat actors to deploy ransomware. This flaw, designated as CVE-2021-42258, involves an SQL injection attack enabling remote code execution, putting numerous users at risk.
The vulnerability has already been exploited in a successful attack on an unnamed engineering company based in the United States. According to American cybersecurity firm Huntress Labs, attackers leveraged this specific flaw to gain initial access and execute ransomware on the targeted systems. BillQuick, developed by BQE Software, is utilized by approximately 400,000 users around the world, increasing the potential impact of this vulnerability.
While BQE Software has swiftly addressed the issue in the latest version of its product, released on October 7, critical details remain unpatched. The company is reportedly still working on resolving eight additional undisclosed security issues identified during the investigation. This raises concerns about the overall security posture of BillQuick and its implications for clients reliant on this software.
Huntress Labs’ threat researcher, Caleb Stewart, emphasized that hackers can leverage this vulnerability to access sensitive BillQuick data and execute malicious commands on Windows servers utilized by businesses. This incident underlines a worrying trend among small and medium-sized businesses (SMBs): even established software vendors often fail to implement robust security measures, leaving their customers vulnerable to breaches that could lead to significant data loss or ransom situations.
The underlying issue with BillQuick stems from its method of constructing SQL database queries in the Web Suite 2020 version. Attackers can inject carefully crafted SQL commands through the application’s login form. This capability allows them to spawn a command shell on the underlying Windows operating system, facilitating remote code execution due to the software operating under a “System Administrator” user account.
Security experts note that threat actors continually seek straightforward vulnerabilities to exploit. Stewart pointed out that attackers often do not focus solely on widely-used applications but may also target less prominent productivity tools and add-ons, opening deceptive entry points into corporate networks.
The nature of this incident aligns with several tactics outlined in the MITRE ATT&CK framework, particularly in the realm of initial access and privilege escalation. The SQL injection technique employed indicates an intent to gain initial foothold, while the ability to execute commands remotely showcases the potential for escalating privileges within affected systems.
Cyber business owners must take heed of this vulnerability and reassess their cybersecurity measures, especially if they utilize BillQuick or similar applications. Awareness and proactive action are crucial in safeguarding sensitive data against evolving cyber threats.
For further insights and developments in cybersecurity, interested parties are encouraged to follow industry news through platforms like Google News, Twitter, and LinkedIn.
