Cybersecurity researchers on Friday disclosed a now-patched
critical vulnerability in multiple versions of a time and billing
system called BillQuick that’s being actively exploited by
threat actors to deploy ransomware on vulnerable systems.
CVE-2021-42258[1], as the flaw is being
tracked as, concerns an SQL-based injection[2]
attack that allows for remote code execution and was successfully
leveraged to gain initial access to an unnamed U.S. engineering
company and mount a ransomware attack, American cybersecurity firm
Huntress Labs said.
While the issue has been addressed by BQE Software, eight other
undisclosed security issues that were identified as part of the
investigation are yet to be patched. According to its website[3], BQE Software’s products
are used by 400,000 users worldwide.
“Hackers can use this to access customers’ BillQuick data and
run malicious commands on their on-premises Windows servers,”
Huntress Labs threat researcher Caleb Stewart said[4]
in a write-up. “This incident highlights a repeating pattern
plaguing SMB software: well-established vendors are doing very
little to proactively secure their applications and subject their
unwitting customers to significant liability when sensitive data is
inevitably leaked and/or ransomed.”
Essentially, the vulnerability stems from how BillQuick Web
Suite 2020 constructs SQL database queries, enabling attackers to
inject a specially-crafted SQL via the application’s login form
that could be used to remotely spawn a command shell[5]
on the underlying Windows operating system and achieve code
execution, which, in turn, is made possible by the fact that the
software runs as the “System Administrator” user.
“Hackers are constantly looking for low-hanging fruit and
vulnerabilities that can be exploited—and they’re not always poking
around in ‘big’ mainstream applications like Office,” Stewart said.
“Sometimes, a productivity tool or even an add-on can be the door
that hackers step through to gain access to an environment and
carry out their next move.”
References
- ^
CVE-2021-42258
(nvd.nist.gov) - ^
SQL-based injection
(www.imperva.com) - ^
website
(www.bqe.com) - ^
said
(www.huntress.com) - ^
spawn a
command shell (docs.microsoft.com)