A Quickbooks exploit creates vulnerabilities
Recently we discussed the increased saturation of ransomware attacks during tax season for the United States. Malicious third-parties are always eager to seek out ways to deliver their dangerous payloads. Often, they’ll take advantage of important events to cloak their methods, preying on confusion, stress, and anxiety. Naturally, tax season is a perfect fit.
And, as expected, data thieves are leaping on the opportunities given to them. Quickbooks is the latest target in wide-reaching schemes to steal data.
A recently published report revealed attackers have developed a new malware. The goal is to target and steal Quickbooks tax data and publish it online, primarily delivered through email messages.
The attack process
As complex sounding as the attack is, it’s fairly simple. Quickbooks’ CEO briefly explained how the malware attack executes, running on only fifteen lines of code. That makes sense, as the end result is straightforward. But, as Danny Jenkins continued to explain, there are two primary methods by which the attack occurs.
Attackers deploy a PowerShell command to steal the data, which is then put on a word document for extraction. Once in possession of the attackers, the stolen info is published (or likely sold to interested parties on the dark web).
The attacks have dramatically increased by roughly seven times, due primarily to Quickbooks’ additional use for tax season. This is all caused by a default permissions setting. Experts continued to break down how the attacks occur. Primarily, it’s because of how Quickbooks manages its files and processes. Any time a file is stored on a Quickbooks server, the system uses a File Manager, which provides universal control to other processes. In use, permissions for file use are set to “everyone,” and thus, making it quite simple for an attack to assume control.
In a “fortunate” turn of events, though, Jenkins and his teams were able to reverse engineer the script in part because of its simplicity. This allowed Quickbooks staff to track the destination of the stolen files.
As indicated, after a successful theft, attackers sought to sell and publish their digital goods online. Jenkins explained he observed prices ranging in the low hundreds to upwards of thousands for a total database sale. At that point, information recovery is no longer possible. Instead of recovery attempts, it is important to recognize what malicious third parties intend to do with stolen data.
As is typical with information theft, phishing campaigns and potential BEC attacks are the likeliest outcomes. Spear phishing relies on trusted connections and senders to bypass defense, mainly because users receive email/messages from people they assume are who they say they are.
Protecting networks if you use Quickbooks
Bad news for anyone who might take advantage of Quickbooks for tax and business reasons. Whether personal or professional, the risk is high. The two choices are as follows: update everything and make sure you have settings in place to prove access permissions. If you suspect info was compromised, you can still protect yourself and your enterprise.
This is important, as hackers can exploit this information at any point. It could be days or months before the stolen data is utilized.
For regular defense, the easiest way is to modify accessibility permissions. Simply put, only select staff should have access to priority information (if using Quickbooks within an organization). That prevents any default access if the Shell attack is launched. If, however, you suspect some of your info (or all) was taken, you should pay careful attention to bank statements or anywhere said data is relevant.
Messages received from trusted parties or businesses that appear tax-related should be put under severe scrutiny, as these will contain links to phishing websites and techniques. Be especially aware of any messages that refer to “account alerts” or errors, as these attempt to trigger a response to provoke a hasty reaction.
Other safety precautions
Even with these measures put in place, protecting information is challenging. There are several other things your enterprise can do (or as an individual) to keep on eye for suspicious activity, such as:
- Establishing a protocol about where certain files are stored
- Creating access rules on or off Quickbooks so only approved parties can view data
- Keeping all anti-virus software updated
- Monitoring networks for unusual external traffic
- Enabling encryption and MFA on certain devices