Do you consider your organization’s accounting data confidential? All companies do, of course. And so you know that if your accounting data were to fall into the wrong hands, it could cause immeasurable damage. If you are like millions of companies and organizations around the world, you use Quickbooks Desktop software by Intuit to manage your accounting. A new threat, as reported by ThreatLocker, uses two different methods (and some variants) for attacking a company’s Quickbooks Data File via email. In some cases, the attack can be successful no matter which member of an organization is targeted, and all that staffer would need to do is open an innocent-looking email in order to tip the first domino.
Threatlocker reported in February about the growth in the incidence of Quickbooks Data Theft after noticing a 600% to 700% increase in Powershell software accessing Quickbooks data files. Powershell is a scripting tool installed by default on all Windows 10 computers.
This rise in access led to their investigation, which revealed that companies were receiving emails with embedded Powershell scripts. These scripts silently look for and exfiltrate (a fancy word that means “steals”) data from the company QuickBooks file.
Another method for stealing Quickbooks files data was also revealed in the same report. This slightly more complex method involves a piece of scripted malware living inside of an MS Word file that was delivered by email. The malicious script would download additional malware, possibly a Powershell script, which would access and exfiltrate the Quickbooks file.
How Quickbooks Makes The Threat Worse
According to Quickbooks experts Fourlane.com, Quickbooks is now the accounting software of choice for more than 29 million small and medium sized businesses. That makes this hack critically important. What makes it even more important is that hundreds of thousands of accounting and bookkeeping companies also have Quickbooks, and use it to connect to their clients’ data, multiplying the threat this hack poses worldwide.
It’s important to understand that we’re talking about the traditional Quickbooks Desktop system, and not the newer Quickbooks Online. Quickbooks Desktop began life back in 1983 as a single-user accounting system, and was later modified to allow multiple users across a network using a separate piece of software called Quickbooks Server Database Manager (QSDM).
Quickbooks, like most other systems that contain important data, has security built into its data files. The ability for users to access the file are added using QSDM so that users can only access the parts of Quickbooks appropriate to the user’s role. For example, Accounts Receivable clerks would not be in a group that allowed them to pay vendors.
When users are restricted to their appropriate groups, the malware can only exfiltrate data that the infected user can access.
Quickbooks has a well-known flaw, however: Quickbooks data files often get damaged, and when they do they need to be repaired. Intuit even supplies a tool for this purpose, called the Quickbooks File Doctor. But, according to Threatlocker, “When carrying out a repair, file permissions are reset and the ‘everyone’ group is added to the permission. As a result, access to the database is left wide open and this is a major security concern.”
That means that any user can access all of the data in the Quickbooks file, allowing even more data to be stolen by the malware.
Why is this Quickbooks Data Theft attack so dangerous to your company? Because once vendor and customer data is stolen, it can be exploited to the hackers’ advantage. Social Engineering emails can be sent to customers asking for changes to payment terms, including making payments by bankwire to alternate bank accounts controlled by the hackers.
Additional damage can be done simply because the email addresses and identities of customers, vendors and employees would then be known by the hackers, allowing Phishing emails to be sent with very detailed messages, allowing even more malware to be spread.
Proprietary information could be used to threaten or blackmail the company to prevent its release.
But perhaps the worst threat is that the exfiltrated data can be offered for sale on the dark web, where it may be purchased by the highest bidder, or sold a thousand times over to anyone who is willing to pay the price. Either way, this puts the privacy, credit ratings, and identity of all the parties at risk.
How To Prevent The Quickbooks Data Theft Attack
Checking for the presence of the Everyone group and eliminating it is a good first step in protecting your company from the Quickbooks Data Theft attack, but falls far short from being all that needs to be done.
Disabling Powershell on workstations for most users is another good step -- Powershell is just not necessary in most cases.
Good security software should be able to prevent such malware from infecting most systems, but according to Threatlocker, this particular malware is “signed” software, which means it appears to be legitimate software to most antivirus and antimalware systems.
So how can the Quickbooks Data Theft Attack be prevented?
The answer lies in the type of cybersecurity system you are using. While normal antivirus or anti-malware software may not detect this threat, systems like the Digital Uppercut Business Protection Toolkit can. The Toolkit features a number of tools that, working together, can identify, trap and render malware like this harmless.
- Advanced Email Filter -- Opens every link and attachment in a Sandbox environment and tests it for malicious behavior before allowing the user to see or access it.
- Advanced Endpoint Protection -- Uses advanced Behavior-based and AV signature protection to identify and stop known and unknown threats in their tracks.
- Cybersecurity Awareness Training -- Helps teach users to join your team to defend themselves, your company and its data from attack.
- Security Information and Event Management (SIEM) -- Collects and automates the logs from all your network devices and workstations to help give your organization a true picture of the threats it faces, including when unauthorized data is trying to leave the network.
- Security Operations Center -- Our team of cybersecurity experts is constantly monitoring your network and the actions of your Advanced Email Filtering, Advanced Endpoint Protection and your SIEM.
Has Your Quickbooks Data Already Been Stolen?
Your company may already be a victim of the Quickbooks Data Theft attack, and you may not even know it. At Digital Uppercut, we have tools to help detect the presence of this and other malware on your network. We can also search the Dark Web to see if your data has already been exfiltrated. Whether you want to know if you’re already a victim or know you want to prevent becoming a victim, contact Digital Uppercut and let’s talk about cybersecurity for your company. Use our online contact form or call us at 818-913-1335.