Hackers Exploit Popular BillQuick Billing Software As Ransomware Runs Wild, Patch Now
Do you use BQE Software's BillQuick? If you do, go update it—immediately. Huntress ThreatOps identified nine zero-day vulnerabilities in BillQuick Web Suite, a time and billing software that the publisher claims is in use by over 400,000 users worldwide.
The most serious vulnerability is an all-too-common SQL injection attack that allows hostile actors to steal sensitive data from the BillQuick database, and on machines running the default configuration, also allows for remote code execution. Huntress ThreatOps says that this vulnerability has been used in at least one ransomware attack to date, and is likely to have been used in other attacks as well.
In its blog post detailing the issue Huntress ThreatOps demonstrates with brief video clips how easy it is to access this vulnerability. The group says "simply navigating to the login page and entering a single quote" will give you access to a full traceback, revealing sensitive information about the server configuration. The post goes on to demonstrate that, using basic, open-source cybersecurity tools, it's trivial to gain remote code execution access on a machine running BillQuick Web Suite.
If you're a subscriber of the time and billing software, head over to the Huntress ThreatOps blog which has instructions on how to examine your log files to determine if you've been attacked. The group notes that while checking your BillQuick logs isn't a sure-fire detection tool, "the presence of shady SQL statements in your log file strongly suggests someone has been poking around where they shouldn't be."
BleepingComputer, speaking with Huntress ThreatOps, found that the ransomware used in the known BQE exploits has been in use since May 2020. Huntress expects that exploitation of these bugs will ramp up soon, but there's no need to panic-switch timekeeping providers: BQE has already issued an update that patches all of these vulnerabilities on October 7th. Just make sure your software is updated and all should be groovy—at least, until the next major exploit is discovered.