Threat actors have been caught exploiting a (now-patched) zero-day critical vulnerability in a popular timeclock and billing system, to take over vulnerable servers and inflict companies’ networks with ransomware.
Discovered by Huntress Labs earlier this month, the ongoing attacks focus on an SQL-injection bug in the BQE Web Suite from BQE Software.
102621 08:41 UPDATE: BQE clarified that the vulnerability affects BQE Web Suite customers, not BillQuick Web Suite customers, and that Huntress’ reference to BillQuick was inaccurate.
102621 09:15 UPDATE: A spokeperson told Threatpost that some BQE customers run the BillQuick platform via the cloud and others run it on-premise. The on-premise application is run using the BQE Web Suite product, which is the product with the vulnerabilities. Regardless of how many headlines – including Threatpost’s original headline, since corrected – cite BillQuick, customers running the cloud version aren’t, in fact, affected by the vulnerabilities.
“Hackers were able to successfully exploit CVE-2021-42258 – using it to gain initial access to a U.S. engineering company – and deploy ransomware across the victim’s network,” Caleb Stewart, a security researcher for Huntress Labs, said in a Friday post.
SQL injection is a type of attack that allows a cyberattacker to interfere with the queries that an application makes to its database. These attacks are typically carried out by inserting malicious SQL statements into an entry field used by the website (like a comment field).
Attackers used the SQL-injection vulnerability, which allows for remote code execution (RCE), to gain initial access to the unnamed engineering company.
BQE claims to have a user base of more than 400,000 users worldwide, including what the company describes as “leading architects, engineers, accountants, attorneys, IT specialists and business consultants.”
That kind of number is great for brand promotion, not so great for a malicious campaign targeting its customer base, Huntress Labs said.
Stewart said that Huntress’ spidey senses started to tingle after some of its so-called ransomware “canary files” were tripped. Those are files set up by Huntress managed service providers (MSPs) to trigger alerts if they’re changed, moved or deleted — the canaries in the coal mine.
The files were in an engineering company managed by one of Huntress’ MSPs. Upon investigation, Huntress analysts discovered Microsoft Defender antivirus alerts on the MSSQLSERVER$ service account, indicating that a threat actor may have exploited a web app to gain initial access.
Signs pointed to a foreign IP poking at a server hosting BillQuick, Stewart explained: “The server in question hosted BillQuick Web Suite 2020 (WS2020), and the connection logs indicated a foreign IP repeatedly sending POST requests to the web server logon endpoint, leading up to the initial compromise.”
Huntress suspected that a bad actor was attempting to exploit BQE Web Suite, so its researchers started to reverse-engineer the web app in order to trace the attacker’s steps. They managed to recreate the SQL-injection attack, confirming that threat actors can use it to access customers’ billing data and to run malicious commands on on-premises Windows servers.
Bug Can Be Triggered with a Single Character
Huntress said that triggering the now-patched SQL injection vulnerability is drop-dead simple: All you have to do is submit a login request with invalid characters in the username field. “Simply navigating to the login page and entering a single quote (`’`) can trigger this bug,” according to the analysis. “Further, the error handlers for this page display a full traceback, which could contain sensitive information about the server-side code.”
Huntress’ investigation found that the problem lies in concatenated SQL queries. The process of concatenation – i.e., joining two strings together – leads to SQL injection, whether it’s due to input that’s incorrectly filtered or wrongly typed.
“Essentially, this function allows a user to control the query that’s sent to the MSSQL database –which in this case, enables blind SQL injection via the application’s main login form,” Stewart explained.
In other words, an unauthorized user could exploit the vulnerability to dump the content of the MSSQL database used by BQE Web Suite or for RCE, which could lead to attackers gaining control over an entire server.
Huntress notified BQE about the bug, and it patched it. But Huntress is keeping other bug details close to the vest while it assesses whether the code changes implemented in the update, WebSuite 2021 version 18.104.22.168 – released on Oct. 7 – are effective. It’s also still working with BQE to address “multiple security concerns” that Huntress raised over the company’s BillQuick and Core products.
Eight More Security Bugs
Specifically, these are the other bugs found by Huntress that are now awaiting patches:
102621 08:36 UPDATE: BQE told Threatpost that its engineering team is aware of the issue with customers of BQE Web Suite and noted that the vulnerability has already been patched. With regards to the additional vulnerabilities identified by Huntress, the company is actively investigating and expects a short-term patch to the BQE Web Suite vulnerabilities to be in place by end of day, Tuesday, Oct. 26, along with a timeline on when a full fix will be implemented.
The company is aware of two customers having been affected. Its statement continued: “To our knowledge, the issue with BQE Web Suite has only affected two of our customers; we will be proactively communicating to the remainder of our BQE Web Suite customers the existence of these issues, when they can expect the issues to be resolved, and what steps they can take in the interim to minimize their exposure.”
BQE clarified that the vulnerability only affects BQE Web Suite customers, not BillQuick Web Suite customers.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.