Cybersecurity specialists disclosed a critical vulnerability in BillQuick. The vulnerability is exploited for deploying ransomware on vulnerable systems. The vulnerability is addressed as CVE-2021-42258 that allows remote code execution and mount a ransomware attack. With over 400.000 users worldwide, it is critical to publish a hotfix to close the gap in the popular software. On the other hand, eight undisclosed security issues were identified that remain unaddressed.
Customers under the threat of hackers
Huntress Labs threat researcher Caleb Stewart said,
“Hackers can use this to access customers’ BillQuick data and run malicious commands on their on-premises Windows servers. This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.
Hackers are constantly looking for low-hanging fruit and vulnerabilities that can be exploited—and they’re not always poking around in ‘big’ mainstream applications like Office. Sometimes, a productivity tool or even an add-on can be the door that hackers step through to gain access to an environment and carry out their next move.”
BillQuick Web Suite 2020 constructs SQL database queries that are the main vulnerability for the hacking. A command shell could be spawned in via the application’s login screen with an SQL injection from the attackers. That command shell could be used to execute commands from the underlying Windows operating system. This is extremely dangerous and leads to ransomware exploitation because the program runs under the Windows system administration allowance.