Threat Actors Exploit SQL-injection Vulnerability in the BillQuick Billing Software to Spread Ransomware

Researchers discovered that hackers actively exploit a critical SQL injection vulnerability in multiple versions of the web-based billing and invoicing system BillQuick to deploy ransomware on exposed systems.

BillQuick Web Suite from BQE Software is a project management software that includes accounting, billing, and time-tracking features. According to the organization, it has around 400,000 users all over the world.

Cybersecurity experts at Huntress Labs said that the bug, tracked as CVE-2021-42258, can be easily exploited by sending login requests with invalid characters (a single quote) in the username box.

As mentioned by BleepingComputer, the issue has been addressed earlier this month, on October 7, after Huntress Labs alerted the company of the bug.

However, eight other undisclosed security issues are yet to be patched including:

The researchers declared:

Our team was able to successfully recreate this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers.

We have been in close contact with the BQE team to notify them of this vulnerability, assess the code changes implemented in WebSuite 2021 version 22.0.9.1, and work to address multiple security concerns we raised over their BillQuick and

Read More: https://heimdalsecurity.com/blog/threat-actors-exploit-sql-injection-vulnerability-in-the-billquick-billing-software-to-spread-ransomware/