Hackers Exploit Flaw In BQE Software’s Billing System To Deploy Ransomware: Huntress

‘Well-established vendors are doing very little to proactively secure their applications and [are subjecting] their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed,’ says Huntress security researcher Caleb Stewart.

Hackers hit a U.S. engineering company with ransomware through a vulnerability in BQE Software’s time and billing system, according to threat research firm Huntress.

Threat researcher superstar Huntress is warning of a vulnerability in multiple versions of BQE Software’s time and billing system, BillQuick Web Suite, which allows hackers access to deploy ransomware attacks. Huntress security researcher Caleb Stewart said the incident continues to highlight the repeating pattern plaguing SMB software, which is that “well-established vendors are doing very little to proactively secure their applications and [are subjecting] their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.”

CRN reached out to BQE Software but had not heard back by press time.

According to Huntress, hackers were recently able to successfully exploit a CVE-2021-42258 vulnerability inside the BillQuick Web Suite to gain access to a U.S.-based engineering company and deployed ransomware across the victim’s network. The BillQuick time and billing system was running through on-premises Windows servers.

[Related: Gartner’s Top 5 Biggest IT Sales Growth Markets For 2022]

“Considering BQE’s self-proclaimed user base of 400,000 users worldwide, a malicious campaign targeting their customer base is concerning,” said Stewart in a blog post Friday. “Our team was able to successfully re-create this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers.”

Ransomware is one of the biggest security threats in the world.

One-third of organizations worldwide have experienced a ransomware attack or break that blocked access to systems or data in the previous 12 months, according to an August 2021 study by research firm IDC. For those that fell victim to ransomware, it is not uncommon to have experienced multiple ransomware events.

Stewart said Huntress was made aware of the security vulnerability after a number of its “Ransomware Canary” files were tripped within the engineering company’s environment that was managed by one of its partners.

“We discovered Microsoft Defender antivirus alerts indicating malicious activity as the MSSQLSERVER$ service account. This indicated the possibility of a web application being exploited in order to gain initial access,” said Stewart.

The server in question hosted BillQuick Web Suite 2020, and the connection logs indicated a foreign IP repeatedly sending POST requests to the web server logon endpoint, leading up to the initial compromise, according to Huntress. “We were able to re-create the victim’s environment and validate simple security tools like sqlmap easily obtained sensitive data from the BillQuick server without authentication,” Stewart said.

Huntress said it is spearheading multiple SMB efforts to drive awareness of the “code quality epidemic” before hackers deliver a “great reckoning.”

“We’re going to be the security tide that raises all boats. It’s time to rise up,” said Stewart.

The news comes after BQE Software recently named Victor Limongelli as its new CEO.