Posted on October 27, 2021 at 11:53 AM
Researchers at Huntress Labs have discovered active exploits on a critical SQL injection bug in several versions of the BillQuick invoicing system. The report noted that the threat actors are deploying ransomware to infiltrate the billing system.
Although the critical vulnerability has been patched, it allowed the threat actors to steal sensitive data from the billing platform.
The Vulnerability Is Exploited Easily By The Hackers
The BillQuick invoicing and billing system is a project management software with several features, such as time accounting, time-tracking, and billing features. The company says the platform has over 400,000 users all over the world.
The researchers noted that the vulnerability, named CVE-2021-42258, does not present any difficult challenge to the hacker in terms of exploitation. All they have to do is send login requests using invalid characters in the username box.
The researchers also discovered that the Microsoft Defender antivirus alerts indicate malicious activities as the MSSQLSERVER$ service account. It shows that a web application could be actively be exploited and compromised.
Huntress Labs stated that they alerted the developers about their discovery on October 7. The company subsequently released a patch to the bug, but users who have not updated their systems are still vulnerable.
Moreover, the company is yet to patch 8 other vulnerabilities, which puts many users at risk of exploitation.
The Huntress security researchers stated that they successfully recreated the injection-based attack and understand how the threat actors can exploit the weakness. The research team added that hackers can access users’ BillQuick data and “execute malicious commands on their on-premise Windows servers”.
“We have been in close contact with the BQE team to notify them of this vulnerability,” the research team noted. They stated that BillQuick is working to address the series of issues they raised over the safety of the platform and its core offerings.
The Threat Actors Acted Independently
The Huntress researchers also stated that the threat actors did not seem to be working with any state-backed or popular hacking group. And based on their activities and behavior before and after exploitation, they are smaller actors compared to the more established and experienced hackers.
A security researcher at Huntress Labs, Caleb Stewart, stated that BQE has been largely responsive throughout this period. However, the incidence is another indication of the importance of security software utilized by small and medium enterprises.
“This incident highlights a repeating pattern plaguing SMB software,” Stewart noted. It shows that software vendors are not doing enough to proactively provide more security. Also, they are not putting enough pressure on their customers to high liability when vital data is exposed.
The Security researchers explained that the SQL-injection bug was recently exploited and used to target an undisclosed U.S. organization.
Customers Are Advised To Apply Updates Immediately
The vulnerability, which enables remote code execution (RCE) was successfully exploited to gain prior access and launch a ransomware attack.
The researchers added that based on the issues they discovered, other threat actors could launch additional exploitation on the systems. To prevent such exploitation from becoming a success, customers of the BillQuick billing system have been asked to run updates as soon as possible. The company also needs to speed up the release of patches for other vulnerabilities that are still a source of risks and exposure to customers.
The threat actor discovered attacking the BillQuick system is still unknown. Although, it’s not clear what the hacking motive of the actor is, as they have not left any ransomware message yet.
They have not offered to deliver a decryption key that will enable the victims to recover their files, so there is no way to know whether the victims can recover their files.
Huntress Labs believe that the ransomware developed and used by the hackers was first seen in the wild in May 2020. Additionally, it has similar features to the AutoIT-based ransomware types.
When it’s successfully installed in the victim’s system, it sends the firstname.lastname@example.org extension to all encrypted files.
Organizations Asked To Strengthen Security On Non-Working Days
The CISA and FBI recently warned organizations about the increased state of ransomware attacks. The agencies advised them to beef up their security networks against threat actors, especially during weekends or holidays, when threat actors believe to be the most vulnerable period to launch attacks.
Stewart said findings from the research team showed that the threat actor is sending post requests from a foreign IP. This repeated action led to the initial infiltration added Stewart.
Ransomware threats on large and medium organizations have become more common, and the Huntress researchers are asking organizations to do more than they are doing currency when it comes to security.