Quickbooks file data theft has been on the rise over the last few months. We have observed attackers using email in various ways to deliver malware and exploit the accounting software.
The first method used by attackers involves sending a PowerShell command that runs inside of the email.
The second method involves a word document. When the email recipient opens a document attached to the email, a macro or link within that document downloads a file from the internet. Once the executable or PowerShell command is running, it retrieves your most recently saved Quickbooks file location, points to your file share or local file, and proceeds to upload your file to the internet.
A majority of the time, the attack involves basic malware that is often signed, making it hard to detect using antivirus or other threat detection software.
Alternatively, instead of using malware, the attacker runs an Invoke-WebRequest which uploads a file to the internet. The resulting damage is worsened due to a design flaw in Quickbooks.
When Quickbooks is on a file server, you are required to use a Quickbooks Database Server Manager. When carrying out a repair, file permissions are reset and the ‘everyone’ group is added to the permission. As a result, access to the database is left wide open and this is a major security concern.
When a user has access to the Quickbooks database, a piece of malware or weaponized PowerShell is capable of reading the user’s file from the file server regardless of whether they are an administrator or not. In addition, when the permission is reset to the ‘Everyone’ group, the surface area of attack is massively increased, as an attacker only needs to exploit one user in the company, rather than a specific person.
Once the file is uploaded to the internet, attackers are exploiting the data by selling it as a commodity on the dark web. Attackers also use the data in spear-phishing campaigns using the bait-and-switch method. One example we’ve observed involves emailing a customer disguised as a supplier and requesting a payment transfer to a new bank account. Another example involves sending an email from an address that appears to be a known supplier, partner, or customer and requesting a bank transfer.
For those of you who are using Quickbooks, there are few policies we recommend you have in place:
Make sure your permissions are not set to the ‘everyone’ group. That way, you limit your exposure to a single user. If you are using a Database Server Manager, be sure to check the permissions after running a database repair and confirm they are locked down.
If you are using ThreatLocker Storage Control, limit access to that Quickbooks share so only Quickbooks can access it. That way, if there is a piece of malware attempting to exploit a document or PowerShell command, it cannot access that file.
If you are using Application Whitelisting through ThreatLocker as well, malware will not be able to run and PowerShell commands will not execute from Microsoft Office. That is assuming you have our standard Ringfencing policies already in place. It is critical you apply the suggested Ringfencing policies for Microsoft Office.
We’ve observed a major increase in Quickbooks file data theft and we recommend that you remain vigilant of these attacks. If you are unsure of whether this has occurred in your own environment, you can review what has accessed your Quickbooks database within a certain period of time using ThreatLocker Audit Mode. This tool gives you visibility of unusual activity.
To learn more about how ThreatLocker protects against this vulnerability, schedule a call with a Cyber Hero.