Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

Cybercriminals Target QuickBooks Databases

Stolen financial files then get sold on the Dark Web, researchers say.

Cybercriminals increasingly have targeted QuickBooks file data at small and midsize businesses (SMBs) over the past few months, according to new research.

The breaches start with two types of phishing attacks to gain access to QuickBooks databases, according to findings by ThreatLocker. In the first, the attackers send a PowerShell command that runs inside the malicious email. In the second, the attackers send a Word document via email; if the recipient opens the attached document, a macro or link within that document downloads a file onto their machine. Once the executable or PowerShell command runs, it retrieves the victim's most recently saved QuickBooks file location, points to the file share or local file, and grabs that file.

Related Content:

8 Ways Ransomware Operators Target Your Network

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

Danny Jenkins, co-founder and CEO of ThreatLocker, says the attackers usually upload the stolen files to either Google Cloud or Amazon Web Services as a temporary transfer point. From there, they sell the data on the Dark Web, where other cybercriminals buy the data to launch more targeted attacks on other QuickBooks databases or on the customers and suppliers of the victim organizations.

"They will attack every angle possible," Jenkins adds. "Cybercriminals can easily buy these QuickBook databases on the Dark Web and launch attacks."

Meantime, some 43% of organizations of all sizes say they've been victims of a spear-phishing attack in the past 12 months, according to data from Barracuda Networks, and only 23% say they have dedicated spear-phishing protection in place.

"Most of the emails are invoices and resumes," ThreatLocker's Jenkins explains of the lures. "We don't have exact numbers, but we do know that millions of dollars in cybercrime is caused by these types of attacks."

Accounting programs are often written without taking security into consideration, Jenkins notes, and QuickBooks has a fundamental flaw: When an administrator runs a "repair" on the QuickBooks database after a system crash, all the file-share permissions can be reset, leaving the database accessible by everyone in the company. This means if hackers get into the system after a repair, they have access to all permissions — including the company's accountant or business manager.    

"People wonder how the hackers have access to all their customer accounts, but it's really quite simple: Once they have access to the QuickBooks database, they have access to all your customers," Jenkins says. "What we're telling SMBs is to restrict permissions by user and by application. There's no reason for Microsoft Office or PowerShell to have access to QuickBooks."

ThreatLocker detailed its research in a blog post today.

Dirk Schrader, global vice president, security research at New Net Technologies, says the QuickBooks attacks are notable for their simplicity. The attackers are only using a few lines of PowerShell script and exploiting design weaknesses in a QuickBooks software application that’s often used by smaller companies, many of which lack the expertise and staffing to stay up-to-par with cybersecurity issues.

Schrader says SMBs should control whether PowerShell scripts can be executed with the current user's rights and permissions. While that might be overwhelming for some small organizations, they can instead look to secure configuration management and change control to detect the malicious file drops.

"Unfortunately, SMBs have to make a very first step, which is to acknowledge that a cyberattack will happen to them and that they are not too small to be of interest," Schrader says. "The interest the hackers have is to get the SMB's information about their customers [and then] work up to the larger corporate targets — be they customers or suppliers of the SMB."

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.