An unknown ransomware group is currently exploiting a SQL injection bug in BillQuick Web Suite to launch attacks on their target’s networks. The vulnerability is tracked as CVE-2021-42258.
BillQuick claims to have a 400,000 member user base worldwide.
The vulnerability can be exploited by anyone easily via login requests with invalid characters (a single quote) in the username field, according to the Huntress ThreatOps team.
This vulnerability was patched on October 7 by BQE Software, a U.S. engineering company behind BillQuick, after Huntress Labs notified it of the bug. However, the researchers also found eight other zero-day vulnerabilities in BillQuick: CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, CVE-2021-42742). These can also be used for initial access and code execution.
“Our team was able to successfully recreate this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers,” Huntress Labs said. “We have been in close contact with the BQE team to notify them of this vulnerability, assess the code changes implemented in WebSuite 2021 version 18.104.22.168 and work to address multiple security concerns we raised over their BillQuick and Core offerings (more to come on these when patches are available).”
According to the researchers, the company’s vulnerable BillQuick server was hacked, and its systems encrypted and used as the initial point of access to its network.
The gang behind the attacks is not known, and they haven’t dropped their ransom notes yet. Instead, they’re asking their victims to pay in exchange for their files back.
“The actor we observed did not align with any known/large threat actor of which we are aware. It’s my personal opinion this was a smaller actor and/or group based on their behavior during exploitation and post-exploitation,” Huntress Labs security researcher Caleb Stewart told BleepingComputer. “However, based on the issues we’ve identified/disclosed, I would expect further exploitation by others moving forward is likely. We observed the activity over Columbus Day weekend (08-10 October 2021).”
This group has been using this ransomware since May 2020. It borrows code from other AutoID-based ransomware families. This tool will add the firstname.lastname@example.org extension to encrypted files.