An SQL-injection bug in the BillQuick billing app has not only leaked sensitive information, it’s also let malicious actors execute code and deploy ransomware.
Threat actors are picking apart a now-patched, critical vulnerability in a popular timeclock and billing system, to take over vulnerable servers and inflict companies’ networks with ransomware.
Discovered by Huntress Labs earlier this month, the ongoing attacks focus on an SQL-injection bug in the BillQuick Web Suite from BQE Software.
“Hackers were able to successfully exploit CVE-2021-42258 – using it to gain initial access to a U.S. engineering company – and deploy ransomware across the victim’s network,” Caleb Stewart, a security researcher for Huntress Labs, said in a Friday post.
SQL injection is a type of attack that allows a cyberattacker to interfere with the queries that an application makes to its database. These attacks are typically carried out by inserting malicious SQL statements into an entry field used by the website (like a comment field).
Attackers used the SQL-injection vulnerability, which allows for remote code execution (RCE), to gain initial access to the unnamed engineering company.
BQE claims to have a user base of more than 400,000 users worldwide, including what the company describes as “leading architects, engineers, accountants, attorneys, IT specialists and business consultants.”
That kind of number is great for brand promotion, not so great for a malicious campaign targeting its customer base, Huntress Labs said.
Warning Bells
Stewart said that Huntress’ spidey senses started to tingle after some of its so-called ransomware “canary files” were tripped. Those are files set up by Huntress managed service providers (MSPs) to trigger alerts if they’re changed, moved or deleted — the canaries in the coal mine.
The files were in an engineering company managed by one of Huntress’ MSPs. Upon investigation, Huntress analysts discovered Microsoft Defender antivirus alerts on the MSSQLSERVER$ service account, indicating that a threat actor may have exploited a web app to gain initial access.
Signs pointed to a foreign IP poking at a server hosting BillQuick, Stewart explained: “The server in question hosted BillQuick Web Suite 2020 (WS2020), and the connection logs indicated a foreign IP repeatedly sending POST requests to the web server logon endpoint, leading up to the initial compromise.”
Huntress suspected that a bad actor was attempting to exploit BillQuick, so its researchers started to reverse-engineer the web app in order to trace the attacker’s steps. They managed to recreate the SQL-injection attack, confirming that threat actors can use it to access customers’ BillQuck data and to run malicious commands on on-premises Windows servers.
Bug Can Be Triggered with a Single Character
Huntress said that triggering the now-patched SQL injection vulnerability is drop-dead simple: All you have to do is submit a login request with invalid characters in the username field. “Simply navigating to the login page and entering a single quote (`’`) can trigger this bug,” according to the analysis. “Further, the error handlers for this page display a full traceback, which could contain sensitive information about the server-side code.”
Huntress’ investigation found that the problem lies in concatenated SQL queries. The process of concatenation – i.e., joining two strings together – leads to SQL injection, whether it’s due to input that’s incorrectly filtered or wrongly typed.
“Essentially, this function allows a user to control the query that’s sent to the MSSQL database –which in this case, enables blind SQL injection via the application’s main login form,” Stewart explained.
In other words, an unauthorized user could exploit the vulnerability to dump the content of the MSSQL database used by the BillQuick app or for RCE, which could lead to attackers gaining control over an entire server.
Huntress notified BQE about the bug, and it patched it. But Huntress is keeping other bug details close to the vest while it assesses whether the code changes implemented in the BillQuick update, WebSuite 2021 version 22.0.9.1 – released on Oct. 7 – are effective. It’s also still working with BQE to address “multiple security concerns” that Huntress raised over the company’s BillQuick and Core products.
Eight More BillQuick Security Bugs
Specifically, these are the other bugs found by Huntress that are now awaiting patches:
- CVE-2021-42344
- CVE-2021-42345
- CVE-2021-42346
- CVE-2021-42571
- CVE-2021-42572
- CVE-2021-42573
- CVE-2021-42741
- CVE-2021-42742
Huntress is reportedly warning customers still running BillQuick Web Suite 2018 to 2021 v22.0.9.0 to update their billing suites. Threatpost reached out to BQE to find out how many users have been targeted in the ransomware campaign and which ransomware is in play, and will update this story if we hear back.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
