An SQL-injection bug in the BQE Web Suite billing app has not only leaked sensitive information, it’s also let malicious actors execute code and deploy ransomware.
Threat actors have been caught exploiting a (now-patched) zero-day critical vulnerability in a popular timeclock and billing system, to take over vulnerable servers and inflict companies’ networks with ransomware.
Discovered by Huntress Labs earlier this month, the ongoing attacks focus on an SQL-injection bug in the BQE Web Suite from BQE Software.
102621 08:41 UPDATE: BQE clarified that the vulnerability affects BQE Web Suite customers, not BillQuick Web Suite customers, and that Huntress’ reference to BillQuick was inaccurate.
102621 09:15 UPDATE: A spokeperson told Threatpost that some BQE customers run the BillQuick platform via the cloud and others run it on-premise. The on-premise application is run using the BQE Web Suite product, which is the product with the vulnerabilities. Regardless of how many headlines – including Threatpost’s original headline, since corrected – cite BillQuick, customers running the cloud version aren’t, in fact, affected by the vulnerabilities.
“Hackers were able to successfully exploit CVE-2021-42258 – using it to gain initial access to a U.S. engineering company – and deploy ransomware across