Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomware

An unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware.

An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular billing software suite BillQuick Web Suite time to deploy ransomware.

The attacks were first spotted this month by researchers from security firm Huntress that were also able to demonstrate the exploit. The ransomware gang exploited the CVE-2021-42258 flaw to gain access to the computer network of an US engineering company and deploy ransomware.

BQE has a self-proclaimed user base of 400,000 users worldwide, for this reason this campaign is alarming the experts.

“Hackers were able to successfully exploit CVE-2021-42258—using it to gain initial access to a US engineering company—and deploy ransomware across the victim’s network.” reads the post published by Huntress Labs. “Our team was able to successfully recreate this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers.”

The researchers demonstrated that to trigger the vulnerability an attacker could navigate to the login page and enter a single quote (`’`). Experts also noticed that the error handlers for this page display a full traceback that could contain sensitive information about the server-side code.

Huntress Labs reported the flaw to BQE Software that addressed it on October 7.

The experts also found eight other BillQuick zero-day vulnerabilities tracked as  CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, CVE-2021-42742.

BleepingComputer speculates that the gang has been spreading this ransomware since at least May 2020 and it borrows large portion of code from other AutoIT-based ransomware families.

“Once deployed on target systems, it will add the pusheken91@bk.ru extension to all encrypted files but, as mentioned above, BleepingComputer has not seen it drop a ransom note during any known attacks.” reported BleepingComputer.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]