Huntress disclosed a new vulnerability in BQE billing management software that the firm says was used to install ransomware at a United States engineering firm.
BQE Core software is used by 400,000 firms, according to its website, to track hourly work, expenses and invoices.
CVE-2021-42258, disclosed in a Huntress blog, is a SQL injection that allows for remote code execution. That vulnerability has been patched, said Caleb Stewart, a security researcher at Huntress. But over the course of Huntress's investigation, the firm found eight other vulnerabilities that remain unpatched.
"This vulnerability allowed an attacker to remotely [take control] without any authentication," said Stewart. "At its very core, that allows leaked data from the database, which on its own could be terrible for a billing database. That is on its own bad, but because of the way that the backend SQL database is commonly set up, it also allowed hackers to get remote code execution on the SQL server, and from there privilege escalation for activity throughout the whole network."
Stewart said the best course of mitigation would be to patch for the current vulnerability, and to generally restrict unnecessary remote access to BQE servers.
Huntress said the intrusion appeared to be the work of a small ransomware group, rather than one an affiliate of the larger-scale operations that tend to make headlines.
"That said, this attack is not something that is difficult. I would expect it to get picked up by the bigger organizations, pretty quickly as it gets more traction," said Stewart.