A vulnerability in billing software is being used to deploy ransomware. The warning comes from the Huntress ThreatOps team. It says it has: “discovered a vulnerability in multiple BillQuick Web Suite versions, a time and billing system from BQE Software, which has over 400,000 users worldwide.” A US-based engineering company has already had ransomware deployed across its network as a result.
The details of the vulnerability are available in a blog from Caleb Stewart, security researcher, Huntress. In it, he writes: “Our team was able to successfully recreate this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers.
“We have been in close contact with the BQE team to notify them of this vulnerability, assess the code changes implemented in WebSuite 2021 version 22.0.9.1 and work to address multiple security concerns we raised over their BillQuick and Core offerings.”
The blog also lists eight CVEs that Huntress has filed in addition to CVE-2021-42258 that describes the vulnerability.
What is the problem with BQE’s billing software?
Instead of the software controlling the queries sent to the MSSQL database, it allows the user to take control. It means that the user can change the query and add malicious commands. Importantly, the software also used the system administrator MSSQL user for database authentication. It means that a user has much more elevated permissions than should be allowed.
It also allows a user to use the xp_cmdshell procedure to execute code on the Windows operating system. As this is a Windows process with the same security rights as the SQL Server service account, the code has elevated permissions.
It allows an attacker, for example, to discover details of the system on which BillQuick is running. They can also locate any database on that machine. From here, the attacker can then dump the database and exfiltrate the data. All of this without the attacker having to authenticate with the server.
It also allows the attacker to remotely execute other code on the system. This is how they are able to install and execute ransomware.
Huntress has filed vulnerability CVE-2021-42258 about this issue. The NVD database says: “BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.”
Enterprise Times: What does this mean?
If you think that this sounds familiar, it does. NotPetya began with the compromise of a Ukrainian accounting firm. That attack, as we now know, rapidly spread across the world, causing chaos for many organisations and countries. While Huntress has not said this has the same potential, the fact is that this is another supply chain attack that could have been avoided.
The question here is, why did BQE wait for the vulnerability to be exploited before acting? It could have done its own code review and identified this issue. However, it didn’t, and now it is in recovery mode.
Importantly, Huntress reports that BQE is actively working on fixes and is keen to resolve this. However, will that be enough for its customers? How many will consider alternatives to BQE, or will they assume the company is on top of the issue? Incidents like this cause significant reputational damage, and it will be interesting to see what BQE does to mitigate that.
There is another important issue to look at here, as Stewart calls out. “This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.”