A mysterious ransomware group is exploiting a critical SQL injection bug found in BillQuick Web Suite timing and payment solution to deliver ransomware to a target's network in ongoing attacks.
BQE Software has a user base of 400,000 users worldwide, including “top architects, engineers, accountants, lawyers, IT professionals and business consultants”.
Hackers attacked an American engineering company with ransomware thanks to a vulnerability discovered in BQE Software's timing and payment system.
SQL injection is a type of attack that allows a network attacker to interfere with the queries an application generates in its database. These attacks are usually performed by inserting malicious SQL commands into the input field used by the website. The attackers used the SQL injection vulnerability, which allows remote code execution (RCE), to access it.
The vulnerability, identified as CVE-2021-42258, can be easily executed through a login request with invalid characters in the username field. However, researchers also discovered eight other BillQuick Zero Day vulnerabilities (c. 42573, CVE-2021-42741, CVE-2021-42742) that are available for initial access/code execution as they are still in development. wait for the fix.
An unauthorized person could exploit the vulnerability to dump data from MSSQL databases used by BQE Web Suite or for RCE, which could allow an attacker to take control of the entire server .
It is not clear the Ransomware group is behind these attacks and the attackers did not issue ransom notes on the encrypted systems to support their knowledge or claim their victims pay a ransom in exchange for the cryptanalyst.
Ransomware deployed by this gang has been in use since May 2020 and it borrows code from other AutoIT-based ransomware families. Once deployed on the target, it will generate pushken91@bk.ru extension for all encrypted files.