Researchers at Huntress Labs discovered a recent ransomware incident that was initiated by an exploitation of CVE-2021-42258 via an SQL injection vulnerability in the login page of the BQE BillQuick Web Suite. CVE-2021-42258 was successfully exploited in order to access and deploy ransomware on the network of an engineering company utilizing BQE’s solution. The vulnerability allows for remote code execution (RCE) within the on-premise Windows servers running this application. The vulnerabilities tracked by Huntress Labs that affect the BillQuick Web Suite include CVE-2021-44258, 42344 through 42346, 44571 through 42573, and 42741 and 42742.
Analyst Notes
BQE BillQuick Web Suite 2018 to 2021 version 22.0.9.0 are vulnerable to the reported SQL injection bug and can lead to remote code execution. Indicators of compromise for this attack include malicious activity running under the MSSQLSERVER$ service account and the repeated use of POST requests from a foreign IP to the web server endpoint. BQE has released a patch ahead of Huntress Lab’s report (version 22.0.9.1) and an update is highly recommended in order to fully mitigate this risk.
https://therecord.media/hackers-use-sql-injection-bug-in-billquick-billing-app-to-deploy-ransomware/
https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42258
