Cybersecurity sleuths at Huntress were triggered by a malicious incident at a US engineering company managed by one of its partners. Investigating the incident, the researchers discovered a SQL injection vulnerability in BillQuick Web Suite 2020.
“Our team was able to successfully recreate this SQL injection-based attack and can confirm that hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers,” shared Caleb Stewart, security researcher at Huntress.
Stewart says the incident was concerning since BQE, the company that develops BillQuick, claims to have a user base of over 400,000 installations around the world.
Securing SMB software
According to the researcher’s analysis, the SQL injection vulnerability, tracked as CVE-2021-42258, can be triggered without much effort via login requests with invalid characters, a single quote, in the username field.
Huntress notes that the attackers were able to exploit this vulnerability to execute commands on the victim’s machine remotely to deploy an unidentified strain of ransomware.
“The actor we observed did not align with any known/large threat actor of which we are aware. It’s my personal opinion this was a smaller actor and/or group based on their behavior during exploitation and post-exploitation,” Stewart told BleepingComputer.
The good news is that the vulnerability was patched earlier this month after Huntress notified BQE of the bug. Worryingly however, Stewart says that digging into BillQuick also presented eight other vulnerabilities, which are still in the process of being patched.
While BQE has been very positive in its engagements with Huntress, Stewart believes the incident goes to show the importance of securing software used by small and medium businesses (SMBs).
“This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed,” concludes Stewart.