| Developers: | BQE Software |
| Technology: | Time & Attendance |
2021: Hackers organize a cyber attack around the world through a hole in BQE Software corporate software
At the end of October 2021, information appeared that hackers began hacking companies using a ransomware virus, using the vulnerability in the time and billing system BillQuick Web Suite developed by BQE Software. This was reported in Huntress, a threat research company.
A gap in the BillQuick Web Suite allows hackers to carry out attacks using ransomware viruses. Huntress security researcher Caleb Stewart said the incident continues to highlight the recurring scheme characteristic of SMB software (software), which is that well-established vendors do very little to proactively protect their applications and expose their unwitting customers to significant liability when sensitive data is inevitably leaked and/or redeemed.
According to Huntress, hackers were able to successfully exploit the CVE-2021-42258 vulnerability in the BillQuick Web Suite to gain access to an American engineering company and distribute extortion software over the victim's network. The timekeeping system was BillQuick running on local Windows servers.
 | Given that the self-proclaimed base of BQE users is 400 thousand users around the world, a malicious campaign aimed at their client base is worrying. Our team was able to successfully recreate this attack based on SQL injection and can confirm that hackers can use it to access data BillQuick clients and launch malicious commands on their local Windows servers. We have detected Microsoft Defender antivirus alerts indicating malicious activity as an MSSQLSERVER $ service account. This indicated the possibility of using the web application to gain initial access, "Huntress security information security expert Caleb Stewart said in a blog post. |  |
Caleb Stewart said Huntress learned of the security vulnerability after several of its Ransomware Canary files worked in the environment of an engineering company run by one of its partners. The server in question hosted BillQuick Web Suite 2020, and connection logs showed that the foreign IP address repeatedly sent POST requests to the endpoint of the entry into the Web server, which led to the initial compromise.[1]
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |