[BreachExchange] Hackers Exploit Flaw In BQE Software’s Billing System To Deploy Ransomware: Huntress

Mon Oct 25 09:35:43 EDT 2021

https://www.crn.com/news/security/hackers-exploit-flaw-in-bqe-software-s-billing-system-to-deploy-ransomware-huntress

Hackers hit a U.S. engineering company with ransomware through a
vulnerability in BQE Software’s time and billing system, according to
threat research firm Huntress.

Threat researcher superstar Huntress is warning of a vulnerability in
multiple versions of BQE Software’s time and billing system, BillQuick Web
Suite, which allows hackers access to deploy ransomware attacks. Huntress
security researcher Caleb Stewart said the incident continues to highlight
the repeating pattern plaguing SMB software, which is that
“well-established vendors are doing very little to proactively secure their
applications and [are subjecting] their unwitting customers to significant
liability when sensitive data is inevitably leaked and/or ransomed.”

CRN reached out to BQE Software but had not heard back by press time.

According to Huntress, hackers were recently able to successfully exploit a
CVE-2021-42258 vulnerability inside the BillQuick Web Suite to gain access
to a U.S.-based engineering company and deployed ransomware across the
victim’s network. The BillQuick time and billing system was running through
on-premises Windows servers.

“Considering BQE’s self-proclaimed user base of 400,000 users worldwide, a
malicious campaign targeting their customer base is concerning,” said
Stewart in a blog post Friday. “Our team was able to successfully re-create
this SQL injection-based attack and can confirm that hackers can use this
to access customers’ BillQuick data and run malicious commands on their
on-premises Windows servers.”
Ransomware is one of the biggest security threats in the world.

One-third of organizations worldwide have experienced a ransomware attack
or break that blocked access to systems or data in the previous 12 months,
according to an August 2021 study by research firm IDC. For those that fell
victim to ransomware, it is not uncommon to have experienced multiple
ransomware events.

Stewart said Huntress was made aware of the security vulnerability after a
number of its “Ransomware Canary” files were tripped within the engineering
company’s environment that was managed by one of its partners.

“We discovered Microsoft Defender antivirus alerts indicating malicious
activity as the MSSQLSERVER$ service account. This indicated the
possibility of a web application being exploited in order to gain initial
access,” said Stewart.

The server in question hosted BillQuick Web Suite 2020, and the connection
logs indicated a foreign IP repeatedly sending POST requests to the web
server logon endpoint, leading up to the initial compromise, according to
Huntress. “We were able to re-create the victim’s environment and validate
simple security tools like sqlmap easily obtained sensitive data from the
BillQuick server without authentication,” Stewart said.

Huntress said it is spearheading multiple SMB efforts to drive awareness of
the “code quality epidemic” before hackers deliver a “great reckoning.”

“We’re going to be the security tide that raises all boats. It’s time to
rise up,” said Stewart.

The news comes after BQE Software recently named Victor Limongelli as its
new CEO.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211025/1833647c/attachment.html>