Hackers used Billing Software Zero-day to Deploy Ransomware

October 26, 2021

A critical error in the SQL injection, which was found in the time and accounting solution of the BillQuick Web Suite, is currently used by an as yet unidentified Ransomware group to deploy ransomware in the networks of the targets.

According to Huntress ThreatOps researchers, the vulnerability can easily be triggered by login requests with invalid characters in the username field.

While it is not clear whether the Ransomware is used as a decoy to cover up other malicious activities, investigations by Bleeping Computer showed that Ransomware is in use since May 2020, and as soon as she is used on target systems, she will add the pusheken91@bk.ru extension to all encrypted files.

While the vulnerability was patched on October 7 after Huntress Labs notified BQE of the software bug, 8 unpatched vulnerabilities could also be exploited for initial access/code execution.

Speaking about the ransomware and the gang behind it, Huntress Labs security expert Caleb Stewart explained: “The actor we observed did not align with any known/large threat actor of which we are aware. It’s my personal opinion this was a smaller actor and/or group based on their behavior during exploitation and post-exploitation. However, based on the issues we’ve identified/disclosed, I would expect further exploitation by others moving forward is likely. We observed the activity over Columbus Day weekend (08-10 October 2021).”

For more information, read the original story in Bleeping Computer.

Top Stories

Related Articles

June 9, 2026 Hackers exploited Meta’s AI-powered support chatbot to gain control of Instagram accounts, including several high-profile profiles. Meta more...

June 5, 2026 Security researchers have disclosed a new denial-of-service attack called HTTP/2 Bomb that can overwhelm major web servers more...

May 20, 2026 The Cybersecurity and Infrastructure Security Agency, the arm of the U.S. government tasked with protecting critical infrastructure more...

May 11, 2026 Instructure has restored access to its Canvas learning platform after a cyberattack disrupted service for universities and more...

Picture of TND News Desk

TND News Desk

Staff writer for Tech Newsday.
Picture of TND News Desk

TND News Desk

Staff writer for Tech Newsday.

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn