Hackers used the widely used BillQuick billing software to deploy ransomware

Hackers are always on the lookout for low-hanging fruit and exploitable vulnerabilities, and they aren’t necessarily looking at “huge” mainstream applications like Office. A productivity tool or even an add-on can sometimes be the gateway via which hackers gain access to an environment and carry out their next action. 

American cybersecurity firm Huntress on Friday identified one of these flaws in BillQuick, a time and billing system. Cybersecurity researchers discovered a significant vulnerability in different versions of BillQuick that had been fixed. BillQuick threat actors are actively using it to install ransomware on vulnerable systems.

According to the firm, CVE-2021-42258 was successfully exploited by hackers, who were able to acquire initial access to a US engineering firm and install ransomware over the victim’s network. The flaw involves a SQL-based injection attack that allows for remote code execution. 

Essentially, the vulnerability stems from the way BillQuick Web Suite 2020 constructs SQL database queries. It allows attackers to inject specially-crafted SQL via the application’s login form, which could be used to remotely spawn a command shell on the underlying Windows operating system and achieve code execution. Code execution is made possible by the software’s ability to run as the “System Administrator” user.

While BQE Software has patched the vulnerability, eight other unannounced security flaws discovered during the research have yet to be resolved.

A hostile campaign targeting BQE’s consumer base is troubling, given the company’s self-proclaimed user base of 400,000 customers globally.