BillQuick, a time & billing system, had a critical vulnerability -now fixed- disclosed by cybersecurity researchers. The vulnerability was exploited to introduce ransomware in vulnerable systems.
CVE-2021-42258, a SQL-based injection attack, allowed the attackers to execute code remotely, and it was used to gain a foothold in an unnamed U.S. engineering company and carry out a ransomware attack.
“Hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers,” Huntress Labs threat researcher Caleb Stewart said in a write-up. “This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.”
The vulnerability has its roots in how Bill Quick Web suite 2020 makes the SQL database queries. Their method allows attackers to introduce a specially-crafted SQL via the application’s login form that could be used to remotely initiate a command shell on the Underlying Windows operating system. Thus, achieving code execution as the software runs as the “System Administration” user.
“Hackers are constantly looking for low-hanging fruit and vulnerabilities that can be exploited—and they’re not always poking around in ‘big’ mainstream applications like Office,” Stewart said. “Sometimes, a productivity tool or even an add-on can be the door that hackers step through to gain access to an environment and carry out their next move.”