[TheRecord] Hackers use SQL injection bug in BillQuick billing app to deploy ransomware

At least one hacking group is exploiting a security flaw in a popular billing software suite to gain initial access, take over servers, and then deploy ransomware inside companies’ networks.

Discovered by Huntress Labs this month, the attacks targeted BillQuick Web Suite, a billing solution developed by California-based BQE.

“Hackers were able to successfully exploit CVE-2021-42258—using it to gain initial access to a US engineering company—and deploy ransomware across the victim’s network,” Caleb Stewart, a security researcher for Huntress Labs, said over the weekend.

Stewart said Huntress investigated the attack and was able to reproduce the attacker’s exploit, described as an SQL injection vulnerability in the app’s login page.

“Simply navigating to the login page and entering a single quote (`’`) can trigger this bug,” Steward said. “Further, the error handlers for this page display a full traceback, which could contain sensitive information about the server-side code.”

Huntress said the vulnerability could be abused to dump the content of the MSSQL database used by the BillQuick software and even for remote code execution scenarios that would allow hackers control over the entire server.

This is how Huntress believes the threat actor was able to enter customer networks and deploy ransomware.

Eight other issues also discovered; patches available

In addition to the SQL injection bug exploited in the ransomware attacks, Stewart said Huntress also discovered eight other vulnerabilities in the BillQuick software during their investigation.

All issues were reported to the vendor, which released patches in WebSuite 2021 version on October 7.

Huntress is now warning customers who still run BillQuick Web Suite 2018 to 2021 v22.0.9.0 to update their billing suites.

According to the BQE website, the company claims more than 400,000 customers. A BQE spokesperson was not immediately available for comment.

The post Hackers use SQL injection bug in BillQuick billing app to deploy ransomware appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Oracle Releases July 2021 CPU With 342 Security Patches

All posts, Security Week

Oracle on Tuesday announced the availability of a total of 342 new security patches as part of its July 2021 Critical Patch Update (CPU). More than half of the addressed vulnerabilities could be exploited remotely without authentication. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[BleepingComputer] DuckDuckGo’s new email privacy service forwards tracker-free messages

DuckDuckGo is rolling out an email privacy feature that strips incoming messages of trackers that can help profile you for better profiling and ad targeting. […] Source: Read More (BleepingComputer)

Read More

Daily NCSC-FI news followup 2021-06-07

Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments unit42.paloaltonetworks.com/siloscape/ In March 2021, I uncovered the first known malware targeting Windows containers, a development that is not surprising given the massive surge in cloud adoption over the past few years. I named the malware Siloscape (sounds like silo escape) because its primary goal […]

Read More