Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomware

October 25, 2021  By Pierluigi Paganini


An unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware.

An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular billing software suite BillQuick Web Suite time to deploy ransomware.

The attacks were first spotted this month by researchers from security firm Huntress that were also able to demonstrate the exploit. The ransomware gang exploited the CVE-2021-42258 flaw to gain access to the computer network of an US engineering company and deploy ransomware.

BQE has a self-proclaimed user base of 400,000 users worldwide, for this reason this campaign is alarming the experts.

“Hackers were able to successfully exploit CVE-2021-42258—using it to gain initial access to a US engineering company—and deploy ransomware across the victim’s network.” reads the post published by Huntress Labs. “Our team was able to successfully recreate this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers.”

The researchers demonstrated that to trigger the vulnerability an attacker could navigate to the login page and enter a single quote (`’`). Experts also noticed that the error handlers for this page display a full traceback that could contain sensitive information about the server-side code.

Huntress Labs reported the flaw to BQE Software that addressed it on October 7.

The experts also found eight other BillQuick zero-day vulnerabilities tracked as  CVE-2021-42344CVE-2021-42345CVE-2021-42346CVE-2021-42571CVE-2021-42572CVE-2021-42573CVE-2021-42741CVE-2021-42742.

BleepingComputer speculates that the gang has been spreading this ransomware since at least May 2020 and it borrows large portion of code from other AutoIT-based ransomware families.

“Once deployed on target systems, it will add the [email protected] extension to all encrypted files but, as mentioned above, BleepingComputer has not seen it drop a ransom note during any known attacks.” reported BleepingComputer.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

A critical RCE flaw affects Discourse software, patch it now!

 US CISA urges administrators to address a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs....