An unknown ransomware group is exploiting a critical SQL injection bug found in the BillQuick Web Suite time and billing solution to deploy ransomware on their targets' networks in ongoing attacks.
BQE Software, the company behind BillQuick, claims to have a 400,000 strong user base worldwide.
The vulnerability, tracked as
CVE-2021-42258, can be triggered extremely easily via login requests with invalid characters (a single quote) in the username field, according to security researchers with the Huntress ThreatOps team.
This actively exploited vulnerability was patched on
October 7 after Huntress Labs notified BQE Software of the bug.
However, the researchers also found eight other BillQuick zero-day vulnerabilities (i.e.,
CVE-2021-42344,
CVE-2021-42345,
CVE-2021-42346,
CVE-2021-42571,
CVE-2021-42572,
CVE-2021-42573,
CVE-2021-42741,
CVE-2021-42742) also usable for initial access/code execution and ripe for abuse since they're still waiting for a patch.