A SQL injection bug in the BillQuick billing app has not only leaked sensitive information, it’s also let malicious actors remotely execute code and deploy ransomware.
Threat actors are picking apart a now-patched, critical vulnerability in a popular time and billing system to take over vulnerable servers and inflict companies’ networks with ransomware.
Discovered by Huntress Labs earlier this month, the ongoing attacks focus on a SQL injection bug in BillQuick Web Suite from BQE Software.
“Hackers were able to successfully exploit CVE-2021-42258 – using it to gain initial access to a US engineering company – and deploy ransomware across the victim’s network,” Caleb Stewart, a security researcher for Huntress Labs, said in a Friday post..
The flaw concerns an SQL injection attack: a type of attack that allows a cyberattacker to interfere with the queries that an application makes to its database. These attacks are typically carried out by inserting malicious SQL statements into an entry field for execution.
Attackers used the SQL injection vulnerability, which allows for remote code execution (RCE), to gain initial access to the unnamed engineering company and to unleash a ransomware attack on its network, Huntress said.