Ransomware Attacks Perpetrated via Vulnerability in BillQuick Billing Software

  • A critical vulnerability that allowed remote code injection was discovered in multiple versions of the relatively popular BillQuick billing software.
  • The exploit comes from using MSSQL database injections that give access to CMDshell functions on the underlying OS.
  • The attacks permitted the hackers to access customer data and deploy malware.

A vulnerability in BillQuick (a very popular billing app with over 400,000 users worldwide) that allows SQL injection for unauthenticated remote code execution was exploited in the wild this month for ransomware deployment. This critical flaw was given the number CVE-2021-42258, and it concerns the BQE BillQuick Web Suite 2018 through 2021, before

The researcher’s team used SQL injection-based attacks to execute malicious commands on the target device. The vulnerability set includes the following CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, and CVE-2021-42742. All of these are part of the BillQuick WebSuite 2021 version

The team discovered a number of suspicious activities on the MSSQLSERVER$ service account thrown up by their Ransomware Canary files as well as Microsoft Defender antivirus. They looked through the connection logs and found a foreign IP transmitting POST requests on repeat. This request was sent to the webserver login endpoint right up to the first infection instance. They began tracking the attacker’s steps back to the infection’s origin point.

Looking at the SQL injections, the researchers found some queries on the server-side code that allowed queries inserted into the MSSQL database. This enabled the injection of queries into the database via the login screen. Upon recreating a compromised device’s environment, they found that BillQuick allows anyone with MSSQL system admin privileges and the SQL injection to use xp_cmdshell procedures. This granted the hacker access to the system OS and enabled it to execute codes remotely. They have explained the entire process of the SQL injection line and its database=driven mapping using a tool called sqlmap.

The researchers have stated that configuring the database to block xp_cmdshell executions extends stored procedure. Further, when configured for least-privilege SQL users, BillQuick Web Suite prevents remote code execution via SQL injections.

In practice, Huntress has observed partners using BillQuick Web Suite with the built-in system admin account, which allows full access to the back-end database server, including xp_cmdshell, regardless of configuration restrictions. The researchers have informed BQE Software of the vulnerability issues, and the company is addressing the vulnerabilities actively.



How to Watch MasterChef Season 12: Back to Win Online From Anywhere

MasterChef is returning for its twelfth season, which will be an all-star season where contestants will be returning for a second chance...

How to Watch The Great American Tag Sale With Martha Stewart Online From Anywhere

Are you ready to see the fabulous Martha Stewart in a great American tag sale? This new show will premiere soon, and...

How to Watch Expedition Unknown Season 10 Online From Anywhere

Discovery's 'Adventure Wednesday' lineup is back this summer, and viewers will be treated to all-new episodes of the reality television series Expedition...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari