A critical error in the SQL injection, which was found in the time and accounting solution of the BillQuick Web Suite, is currently used by an as yet unidentified Ransomware group to deploy ransomware in the networks of the targets.
According to Huntress ThreatOps researchers, the vulnerability can easily be triggered by login requests with invalid characters in the username field.
While it is not clear whether the Ransomware is used as a decoy to cover up other malicious activities, investigations by Bleeping Computer showed that Ransomware is in use since May 2020, and as soon as she is used on target systems, she will add the pusheken91@bk.ru extension to all encrypted files.
While the vulnerability was patched on October 7 after Huntress Labs notified BQE of the software bug, 8 unpatched vulnerabilities could also be exploited for initial access/code execution.
Speaking about the ransomware and the gang behind it, Huntress Labs security expert Caleb Stewart explained: “The actor we observed did not align with any known/large threat actor of which we are aware. It’s my personal opinion this was a smaller actor and/or group based on their behavior during exploitation and post-exploitation. However, based on the issues we’ve identified/disclosed, I would expect further exploitation by others moving forward is likely. We observed the activity over Columbus Day weekend (08-10 October 2021).”