BillQuick customers blindsided by recently patched web security flaw

Cybercriminals are exploiting a vulnerability in a popular billing software platform to spread ransomware.

A blind SQL injection vulnerability in BillQuick is being abused to distribute malware, security researchers at Huntress warn.


Catch up with the latest cyber-attack news and analysis


BQE Software’s BillQuick Web Suite versions earlier than 22.0.9.1 allows SQL injection that gives rise to an even more serious remote code execution (RCE) risk.

The CVE-2021-42258 vulnerability was patched on October 7 (PDF) but a number of systems nonetheless remain vulnerable.

Huntress Threat Ops team reports that the vulnerability was exploited to get initial access onto the systems of a US engineering company prior to a ransomware attack.

Active exploitation

BQE boasts a user base of 40,000 of mostly small to medium-sized organizations worldwide, and the need for those behind the curve of patching or remediating this actively exploited vulnerability could hardly be more pressing.

The vulnerability enables blind SQL injection via the application’s main login form. this opens the door to both stealing data from vulnerable systems without authentication (by dumping SQL database contents) as well as planting malicious code, a detailed technical analysis by Huntress outlines:


With help from our partner, we were able to recreate the victim’s environment and validate simple security tools like sqlmap easily obtained sensitive data from the BillQuick server without authentication.

Because these versions of BillQuick used the sa (System Administrator) MSSQL user for database authentication, this SQL injection also allowed the use of the xp_cmdshell procedure to remotely execute code on the underlying Windows operating system.


Exploitation of the vulnerability is far from difficult, as a technical blog post by Huntress illustrates.

The company’s researchers came upon the attack after a number of ransomware canary files were tripped within an unnamed engineering company’s environment that was managed by one of its partners.

More flaws

Initial forensics work led to the discovery of Microsoft Defender antivirus alerts indicating malicious activity as the MSSQLSERVER$ service account, evidence that a web app was used to hack into the victim’s systems.

Subsequent log analysis identified a server that hosted BillQuick Web Suite 2020 as the initial point of compromise.


RECOMMENDED Discourse fixes critical validation-related vulnerability in forum software


During its research, Huntress identified a further eight vulnerabilities in BQE’s technology. Each has been reserved a CVE identifier but are yet to be resolved, so no details of even the severity of the flaws are publicly available yet.

All that is known, for now, is that the vulnerabilities involve BQE’s BillQuick and Core products. BQE’s Core is an all in one accounting an invoicing software package.

The Daily Swig asked researchers at Huntress for an estimate of the number of potentially vulnerable BillQuick Web Suite installations exposed to the internet as well as information on the strain of ransomware linked to the attack it detected. We also asked BQE to comment on the Huntress research.

No word back as yet, but we’ll update the story as and when more information comes to hand.


YOU MAY ALSO LIKE Swiss exhibitions organizer MCH Group hit by cyber-attack