While QuickBooks is a software package expressly developed for accounting by Intuit, and geared towards small and medium-sized businesses with offers like on-premises accounting applications and cloud-based versions with such facilities as managing and paying of bills, and payroll functions.
According to researchers at ThreatLocker, Cybercriminals employed new malware designed to exfiltrate data from Quickbooks and post on the Internet, with the attackers using phishing scam and social engineering tricks to deliver the malware.
How Attackers can exfiltrate data from Quickbooks
Attackers mainly use email to deliver malware to exploit the accounting software, and the method employed by attackers include sending a PowerShell command that runs inside of the email.
The attacks take the form of a PowerShell command which is capable of running inside an email, which if the recipient opens a document attached to the email, a link within that document downloads a malicious file from the internet. And once the PowerShell command is running, it enables the retrieval of the most recent Quickbooks files, and upload the file to the Internet.
Another method employed by bad actors is the running of a PowerShell command known as Invoke-WebRequests on target systems to upload relevant QuickBooks data to the Internet without having to download any malware. And as the attackers uses signed malware most of the time, it becomes even harder for antivirus or other threat detection software to detect.
These stolen data are often sold on the dark web, which according to the researchers, there are also instances where the attackers resort to bait-and-switch tactics in order to lure customers to make fraudulent bank transfers posing as suppliers.
How to Mitigate against QuickBooks File Data Theft
The attack increases exponentially when QuickBooks file permissions are set to "Everyone" group, as the attacker can now target individuals within the company, against targeting just a specific person with the right privileges.
Therefore, it is advised that users should be vigilant of these sort of attacks, and that file permissions are not set to the "Everyone" group to limit the exposure to further attacks. And if you're using a Database Server, always ensure to check the permissions on running database repairs and confirm the permissions are locked down.