According to ThreatLocker reports, the breaches begin with two types of phishing attacks to get access to QuickBooks databases. First, the attackers give a PowerShell command that operates inside the malicious email. Second, the attackers send a Word document through email. If the receiver opens the attached document, a link inside that document downloads a file onto their computer. Once the command operates, it recovers the victims most recently saved QuickBooks file location, leads to the file share or local file, and grasps it.
Co-founder, and CEO of ThreatLocker, Danny Jenkins, said the attackers usually upload the captured files to Amazon Web Services or Google Cloud or as a brief transfer point.
To Read More: Dark Reading