Hackers Exploit BQE Software to Hit a US Engineering Comp

Malicious actors are leaving no stone unturned in exploiting software vulnerabilities to deploy ransomware. And, they are not always honing in on mainstream applications like Microsoft Office.

A productivity tool or even an add-on is all they need to gain access to an organization’s IT environ and execute their next move. Cybersecurity research firm Huntress recently discovered one such software vulnerability actors exploited to hit a US engineering company.

Huntress released a threat advisory pertaining to a critical vulnerability found in multiple versions of BillQuick Web Suite, a time and billing system of BQE Software.

According to the threat research firm, hackers successfully exploited the vulnerability ‘CVE-2021-42258’ to gain access to an unnamed American engineering firm. The malicious actors were able to deploy ransomware across the victim’s network.

“Considering BQE’s self-proclaimed user base of 400,000 users worldwide, a malicious campaign targeting their customer base is concerning,” said Huntress security researcher Caleb Stewart.

The Huntress ThreatOps team was successful in recreating the SQL injection vulnerability in BillQuick. They also confirmed that cybercriminals could exploit the vulnerability to access customers’ BillQuick data and execute malicious commands on their on-premises Windows servers.

The security firm raised the red flag after it discovered that a number of their Ransomware Canary files were tripped within the engineering company’s environment that was managed by one of its partners.

“While investigating the incident, we discovered Microsoft Defender antivirus alerts indicating malicious activity as the MSSQLSERVER$ service account. This indicated the possibility of a web application being exploited in order to gain initial access,” said Stewart.

BillQuick Web Suite 2020 (WS2020)

The server hosted BillQuick Web Suite 2020 (WS2020). The company found that a foreign IP was repeatedly sending POST requests to the web server logon endpoint, which led to the initial compromise.

“From this context, we suspected that a bad actor was attempting to exploit BillQuick—so naturally, we began reverse-engineering the web application to trace the attacker’s steps,” said the Huntress.

Without further ado, the Huntress team notified the BQE team.

“We really appreciate the BQE team’s timely responses to these vulnerability notifications. In 2021, it’s still extremely common for vendors to sweep cybersecurity issues under the rug; we have the impression that BQE is taking our feedback seriously,” said Stewart.

The BillQuick incident sheds light on a repeating attack pattern hitting SMB software.

“Well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed,” said Stewart.

Contact Us

More News: