Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

Cybercriminals Target QuickBooks Databases

Stolen financial files then get sold on the Dark Web, researchers say.

Cybercriminals increasingly have targeted QuickBooks file data at small and midsize businesses (SMBs) over the past few months, according to new research.

The breaches start with two types of phishing attacks to gain access to QuickBooks databases, according to findings by ThreatLocker. In the first, the attackers send a PowerShell command that runs inside the malicious email. In the second, the attackers send a Word document via email; if the recipient opens the attached document, a macro or link within that document downloads a file onto their machine. Once the executable or PowerShell command runs, it retrieves the victim's most recently saved QuickBooks file location, points to the file share or local file, and grabs that file.

Related Content:

8 Ways Ransomware Operators Target Your Network

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

Danny Jenkins, co-founder and CEO of ThreatLocker, says the attackers usually upload the stolen files to either Google Cloud or Amazon Web Services as a temporary transfer point. From there, they sell the data on the Dark Web, where other cybercriminals buy the data to launch more targeted attacks on other QuickBooks databases or on the customers and suppliers of the victim organizations.

"They will attack every angle possible," Jenkins adds. "Cybercriminals can easily buy these QuickBook databases on the Dark Web and launch attacks."

Meantime, some 43% of organizations of all sizes say they've been victims of a spear-phishing attack in the past 12 months, according to data from Barracuda Networks, and only 23% say they have dedicated spear-phishing protection in place.

"Most of the emails are invoices and resumes," ThreatLocker's Jenkins explains of the lures. "We don't have exact numbers, but we do know that millions of dollars in cybercrime is caused by these types of attacks."

Accounting programs are often written without taking security into consideration, Jenkins notes, and QuickBooks has a fundamental flaw: When an administrator runs a "repair" on the QuickBooks database after a system crash, all the file-share permissions can be reset, leaving the database accessible by everyone in the company. This means if hackers get into the system after a repair, they have access to all permissions — including the company's accountant or business manager.    

"People wonder how the hackers have access to all their customer accounts, but it's really quite simple: Once they have access to the QuickBooks database, they have access to all your customers," Jenkins says. "What we're telling SMBs is to restrict permissions by user and by application. There's no reason for Microsoft Office or PowerShell to have access to QuickBooks."

ThreatLocker detailed its research in a blog post today.

Dirk Schrader, global vice president, security research at New Net Technologies, says the QuickBooks attacks are notable for their simplicity. The attackers are only using a few lines of PowerShell script and exploiting design weaknesses in a QuickBooks software application that’s often used by smaller companies, many of which lack the expertise and staffing to stay up-to-par with cybersecurity issues.

Schrader says SMBs should control whether PowerShell scripts can be executed with the current user's rights and permissions. While that might be overwhelming for some small organizations, they can instead look to secure configuration management and change control to detect the malicious file drops.

"Unfortunately, SMBs have to make a very first step, which is to acknowledge that a cyberattack will happen to them and that they are not too small to be of interest," Schrader says. "The interest the hackers have is to get the SMB's information about their customers [and then] work up to the larger corporate targets — be they customers or suppliers of the SMB."

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.