Ransomware Deployed Using SQL Injection Bug in BillQuick Invoicing Software

A hacking group has exploited a security flaw in a popular invoicing software to hijack its servers and deploy ransomware in its network.

This attack, discovered by Huntress Labs, targets BillQuick Web Suite, an invoicing solution developed by California-based BQE.

Hackers were able to exploit CVE-2021-42258 to gain initial access to a US engineering firm and deploy the ransomware across the victim’s network

https://cve.mitre.org /cgi-bin/cvename.cgi?name=CVE-2021-42258

Stewart said that Huntress Labs investigated the attack and was able to replicate the attack by exploiting a SQL injection vulnerability in the app’s login page.

Navigating to the login page and simply entering a single quote (') will trigger this bug. Additionally, the error handler on this page displays a full traceback and may contain sensitive information about the server-side code

Huntress said the vulnerability could be exploited to dump the contents of the MSSQL database used by the BillQuick software, or for remote code execution scenarios where a hacker could take control of the entire server.

Huntress believes that this vulnerability could have been used to infiltrate the customer’s network and deploy ransomware.

8 problems found, patch provided

In addition to the SQL injection bug exploited in the ransomware attack, Stewart said that Huntress found eight other vulnerabilities in the BillQuick software during its research.

All issues were reported to the vendor, who released a patch for the CVE-2021-42258 SQL injection bug exploited in WebSuite 2021 version 22.0.9.1 on October 7, 2021.

http://billquick.net/download/Support_Download/BQWS2021Upgrade/WebSuite2021LogFile_9_1.pdf

Patches for the other 8 issues will be available soon.

Huntress is warning customers currently running BillQuick Web Suite 2018 through 2021 v22.0.9.0 to update their billing suite.

BQE BillQuick Web Suite 2018-2021 prior to 22.0.9.1 can be used to execute unauthenticated remote code via SQL injection, as was exploited to install ransomware in October 2021. SQL injection can use, for example, the txtID (a.k.a. user name) parameter, which can be used to execute unauthenticated remote code, as was exploited to install ransomware in October 2021. A successful exploit can execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

Leave a Reply

Your email address will not be published.