Cybercriminals are ready for tax season with new malware designed to exfiltrate Quickbooks data and post it on the internet, according to a new report from ThreatLocker. Attackers use email to deliver the malware, which the ThreatLocker’s CEO Danny Jenkins told Threatpost is a simple, 15-line piece of code. There are two specific methods attackers used to get the malware to targets: The first is to send a PowerShell command to exfiltrate the data; and the second is to use a Word document to deliver a link or macro to retrieve a file. After that, the stolen files are sent to the internet, where they’re up for grabs. “Once the executable or PowerShell command is running, it retrieves your most recently saved Quickbooks’ file location, points to your file share or local file, and proceeds to upload your file to the internet,” the report said. Jump in PowerShell Access to Quickbooks Jenkins added that ThreatLocker has seen a six- to seven-times increase in instances of PowerShell accessing QuickBooks in recent weeks. A QuickBooks default permissions setting makes things extra-easy for attackers, according to the firm. “When Quickbooks is on a file server, you are required to use a Quickbooks Database Server Manager, the report said. “When carrying out a repair, file permissions are reset and the ‘everyone’ group is added to the permission. As a result, access to the database is left wide open and this is a major security concern. ” Jenkins said he was able to reverse engineer…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2021-02-24 16:52:002021-02-24 16:52:00Tax Season Ushers in Quickbooks Data-Theft Spike
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org