BillQuick billing system’s zero-day bug targeted by Cybercriminals

November 8, 2021
BillQuick zero day bug Cybercriminals billing software vulnerability cybersecurity

Recently, researchers discovered that a critical structured query language’s bug exists inside BillQuick Web Suite and is exploited by an unidentified malicious threat group. The billing system created by a particular billing software group has about 400,000 clients and users globally. 

BillQuick is a unified project management software that targets different companies that need simple accounting, billing, and time-tracking capabilities. This billing software also includes deployment functionalities, whether in the company’s premises or the cloud. 

 

How did the cybercriminals find the zero-day bug? 

Earlier this month, an engineering firm based in the United States of America was targeted by an unidentified ransomware group that seems to have been exploiting a vulnerability in the BillQuick server, according to a researcher. 

Moreover, the unknown ransomware group targeted a severe vulnerability titled “CVE-2021-42258” and tried to obtain initial access to the firm’s network. 

The CVE-2021-42258 enables threat actors to access the user’s BillQuick data and execute dangerous commands on the primary Windows server. 

 

More details about the zero-day bug. 

The bug found inside the BillQuick server is an SQL injection that can be activated by simply using login requests with illegitimate characters in the username space. 

Fortunately, this zero-day bug was patched in version 22.0.9.1, days after a researching team notified the BQE Software regarding the vulnerability. 

 

Additional research revealed more bugs. 

After analysing the incident, the researchers decided to recreate a SQL injection-based simulation.

 

They found out that a threat actor can infiltrate a client’s BillQuick data plus the ability to execute malicious commands on the on-premises of Windows server. 

 

In addition, after recreating the ransomware attack, the researchers have discovered several vulnerabilities aside from CVE-2021-42258. 

However, all these newfound bugs can enable threat actors to obtain initial access and code execution. 

The researchers have pointed out that the unknown threat actors are not affiliated with any bigtime ransomware groups since the malicious actor’s behaviour during the attack was observed by researchers to be more like an amateur level act. However, it is still a serious matter that should not be taken lightly. 

 

What is the takeaway? 

In conclusion, even the smallest ransomware group can now exploit several types of zero-day bugs inside famous software. Cybersecurity groups are facing high-tier ransomware gangs and smaller ones that can cause trouble to everyone. 

About the author

Leave a Reply