Read Time:1 Minute, 35 Second

A mysterious ransomware group is exploiting a critical SQL injection bug found in the BillQuick Web Suite time and billing solution to inject ransomware on their target’s networks in ongoing attacks.

BQE Software has a user base of 400,000 users across the globe, including “ leading architects, engineers, accountants, attorneys, IT specialists and Business Consultants.”

Hackers hit a U.S. engineering company with ransomware through a vulnerability discovered in the BQE Software’s time and billing system.

SQL injection is a type of attack that allows a cyber attacker to interfere with the queries that an application generates its databases. These attacks are generally carried out by inserting malicious SQL commands into an entry field used by the website. Attackers used the SQL injection vulnerability, which authorizes for remote code execution(RCE), to gain access.

The vulnerability, tracked as CVE-2021-42258, can be executed easily via a login request with invalid characters in the username field. However, the researchers also found eight other BillQuick zero-day vulnerabilities(i.e., CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, CVE-2021-42742) available for initial access/code execution since they’re still waiting for a patch.

An unauthorized person could exploit the vulnerability to dump the data of the MSSQL database used by BQE Web Suite or for RCE, which could lead to hackers gaining control over an entire server.

The Ransomware group behind these attacks is unknown and attackers haven’t dropped ransom notes on encrypted systems to make it easier to know them or ask their victims to pay ransom in exchange for Decryptors.

The Ransomware deployed by this gang had been used since May 20220 and it borrows code from other AutoIT-based ransomware families. Once deployed on target, it will create the [email protected] extension to all encrypted files.