Early in the afternoon on Friday, May, 3, I asked a friend to relay a message to his security contact at CCH, the cloud-based tax division of the global information services firm Wolters Kluwer in the Netherlands. The message was that the same file directories containing new versions of CCH’s software were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access.
Shortly after that report, the CCH file directory for tax software downloads was taken offline. As of this publication, several readers have reported outages affecting multiple CCH Web sites. These same readers reported being unable to access their clients’ tax data in CCH’s cloud because of the ongoing outages. A Reddit thread is full of theories.
I do not have any information on whether my report about the world-writable file server had anything to do with the outages going on now at CCH. Nor did I see any evidence that any client data was exposed on the site.
What I did see in those CCH directories were a few odd PHP and text files, including one that seemed to be promoting two different and unrelated Russian language discussion forums.
I sent Wolters Kluwer an email asking how long the file server had been so promiscuous (allowing anyone to upload files to the server), and what the company was doing to validate the integrity of the software made available for download by CCH tax customers.
Marisa Westcott, vice president of marketing and communications at Wolters Kluwer, told KrebsOnSecurity on Friday that she would “check with the team to see if we can get some answers to your questions.”
But subsequent emails and phone calls have gone unreturned. Calls to the company’s main support number (800-739-9998) generate the voice message, “We are currently experiencing technical difficulties. Please try your call again later.”
On Tuesday morning, Wolters Kluwer released an update on the extensive outage via Twitter, saying:
“Since yesterday, May 6, we are experiencing network and service interruptions affecting certain Wolters Kluwer platforms and applications. Out of an abundance of caution, we proactively took offline a number of other applications and we immediately began our investigation and remediation efforts. The secure use of our products and services is our top priority. we have ben able to restore network and services for a number – but not all — of our systems.”
Accounting Today reports today that a PR representative from Wolters Kluwer Tax & Accounting, which makes the CCH products, confirmed the outage was the result of a malware attack:
“On Monday May 6, we started seeing technical anomalies in a number of our platforms and applications,” the statement given to Accounting Today reads. “We immediately started investigating and discovered the installation of malware. As a precaution, in parallel, we decided to take a broader range of platforms and applications offline. With this action, we aimed to quickly limit the impact this malware could have had, giving us the opportunity to investigate the issue with assistance from third-party forensics consultants and work on a solution. Unfortunately, this impacted our communication channels and limited our ability to share updates. On May 7, we were able to restore service to a number of applications and platforms.”
Accounting Today says the limited ability to share updates angered CCH users, many of whom took to social media to air their grievances against a cloud partner they perceive to be ill-prepared for maintaining ongoing service and proper security online.
“Despite CCH stating that a number of applications and platforms were up and running today, May 7, several users on a Reddit thread on the topic have stated that as of this morning in Florida, Maine, Texas, Pittsburgh and South Carolina, their CCH systems are still down,” Accounting Today wrote.
Special thanks to Alex Holden of Hold Security for help in notifying CCH.
Update, May 9, 10:26 a.m. ET: Updated this story to include the latest statement from Wolters Kluwer:
“On Monday May 6, our monitoring system alerted us to technical anomalies in a few of our applications and platforms. We immediately started investigating and detected the installation of malware. When we detected the malware, we proactively took a broad range of platforms, specifically including the CCH tax software applications, offline to protect our customers’ data and isolate the malware. The service interruptions our customers experienced are the result of our aggressive, precautionary efforts.”
“On May 7, we were able to begin restoring service to a number of applications and platforms. At this time, we have brought CCH Axcess, CCH SureTax, CCH AnswerConnect, and CCH Intelliconnect back online. Our process and protocols assure a high degree of confidence in the security of our applications and platforms before they are brought back online. We have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.”
“At this time, we have notified law enforcement and our investigation is ongoing. We regret any inconvenience this has caused, and we are fully committed to restoring remaining services as quickly as possible for our customers.”
“Out of an abundance of caution” — I vomit every time I read this phrase! It seems like the most tell-tale sign that the house is on fire…
That’s right up there with ‘thoughts and prayers’.
“We take security seriously”
actually means
“We didn’t take security seriously enough.”
I suspect we are all jaded from the likes of facebook. But time will tell.
Kind of funny since their cloud product, last time I saw, was running on Azure Service Fabric and there were always problems getting things updated, patched, whatever. Might wanna shy away from that cluster (pun intended) of a product.
“We have seen no evidence that customer data was taken or that there was a breach of confidentiality of that data…”
If I was a really good hacker. They will never know…
MY $0.02
Or, if it was hacked up bad enough, they may never know.
Or if they covered their eyes and tried hard not to notice…
“Also, there is no reason to believe that our customers have been infected through our platforms and applications.”
This is by far the most unsettling sentence for me.
One of my customers is one of CCH’s customers and he was told by their support they got hit with Mega Cortex Ransomware yesterday.
Deleted comment on Reddit from one of their engineers:
http://www.removeddit.com/r/sysadmin/comments/blcswm/_/emoa39y/
Mega Cortex – details https://www.zdnet.com/article/sudden-surge-of-megacortex-ransomware-infections-detected/
Thanks for the link.
MegaCortex’s ransom note includes “The breach is a result of grave neglect of security protocols”. I agree.
It all starts with someone opening and running an infected MS Office macro sent via email or a messaging service like Skype.
down in the East coast too. I wonder how they’re able to get away with this with GDPR in play.
“…no reason to believe that our customers have been infected…” — HAH! But HUGE reason to believe that in fact, many or all of “our customers” are infected.
I used to work there and some current employees have said they were not allowed to login to their computers today
This appears to have been a targeted attack. I suspect the virus was the vector, but also the distraction. Customer data could have been the actual goal. I don’t trust WK’s denial.
Any coincidence NYtimes now has IRS transcripts for 1985-1994? Anyone worked for Mazers and know if they used CCH products?
While the NYT transcripts seem coincidental, it is interesting that CCH was targeted. Based on some LinkedIn job postings for Mazars they are a CCH shop. This story may be bigger than is currently being covered.
Any coincidence that someone who chose “DJT” as their handle is spinning baseless conspiracy theories?
If you believe the reporting in that article, the person who accessed it had legal access to it. That wouldn’t be the case if it was a security hole. It’s still considered abuse of computer access if you go in through a hole.
More likely it was some lawyer or tax firm involved.
It would be interesting to know the way they check the integrity of the ftp hosted update files. NoPetya had a similar spreading vector through the repo of a widely used Ukrainian accounting software, if I recall correctly. WK have a LOT of clients and if those Axcess updates are somehow tampered with and then injected into the client´s update process, it would be mayhem.
Such cases are increasing over the years! Being a software developer myself, I don’t understand how can they let such thing pass by!
“On May 7, we were able to restore service to a number of applications and platforms.”
CCH.com is still down. support.cch.com is still down. Closing in on 72 hours.
12:31 AM Thurs May 9 – copies from a comment on Wolter Kluwer CcH FB page – says posted 9 hours ago so makes it about 3 PM ET “Just received confirmation from my ex sales rep and from a developer CCH Axcess has been restored. E-filing is still down though. “
That’s just one of many vulnerabilities and your time of discovery was just happen to coincide with the downtime. Flagrant neglect of security at these large behemoths.
Judging from some of the file names, those are conversion files exported/backed-up from other tax prep systems to be imported into CCH. Did you explore the contents of these files? What else could they be if not client data?
“What I did see in those CCH directories were a few odd PHP and text files”
The first thing I thought of when I saw there were a few odd PHP files were reverse shells. If it was open and writable to any anonymous user, it’s trivial to spin up a PHP reverse shell and upload it on the target. That way, they have complete control of the server if they can privilege escalate. I’m interested to follow this story to see what they say. So far, like other users have commented, it’s pretty unnerving that they stated “there is no reason to believe that our customers have been infected through our platforms and applications.” I find that very hard to believe.
The CCH customers may not be infected, but all of the “secure private” information of the clients of those CCH customers has been swiped. Where’s Dora and Backpack to save the day?
Release date July 31, 2019.
Call me a geezer at 67, I never bought into the cloud for tax software! I cannot efile but at least can work on extensions. I go back to the Maine days and have been through the shut down on 4/15 maybe 10 years ag0, that caused us to do manual 4868s and the 2012 debacle!! Once they sold the company, customer service was sacrificed! Their response this time will the a case study on the wrong way to handle a crisis situation. I got lucky and filed my 990 extensions early on Friday!! Good luck to those without any service!!
Thanks for the comments. We believe the problem is far larger than described. Protect your data!!
”Despite CCH stating that a number of applications and platforms were up and running and yet several users on reddit thread said their CCH systems are still down”. Could it means these customers are still under attack?
I wonder how sure are CCH that non of their customers have not been affected.
CCH Customers may not realised the impact of the attack yet. I hope CCH will be able to recover from this attack.
As of 5/8/19 9:38 AM, ProFx is still down and incommunicado. You cannot call in, no information is available. We do not use their cloud program, but do e-file through them. As a customer, I would have expected to receive s communication of some sort from them on the matter. Their continuing silence is both disconcerting and irresponsible, and the releases they have made contain nothing more than the current catch phrases and pablum.
we are legally required to efile within 72 hours of receiving a signed e-file form. No communication from ATX and I’m at my limit. This is completely irresponsible.
Since yesterday, May 6, we are experiencing network and service interruptions after certain Wolters Kluwer platforms and applications…insert were compromised.
Well if you shut down your routers and switches and pull the cables out – yes, you’ll have network “issues”. Panic move – but, I have say I think it worked.
Axcess is back up as of about 1500 05/08/2019
I’m hearing that some CCH programs are available, but now that we know it’s malware, I’m wary of even trying to login.
What’s puzzling the heck out of me is why their stock price is up today and over the last 5 days. Maybe I should sell short, Mortimer, sell short.
https://www.marketwatch.com/investing/stock/wkl?countrycode=nl
Hopefully they will weather the storm and, once done, find a way to contribute to your “research fund”. Nice work Mr Krebs.
Some Wolters Kluwer banking platforms or their dependencies are also offline, affecting ARTA Lending and Compliance One.
“On Monday May 6, we started seeing technical anomalies in a number of our platforms and applications,” the statement given to Accounting Today reads. “We immediately started investigating and discovered the installation of malware.”
Searching the URL in Brian K’s graphic, shows detection eight months ago, and again 2 months ago:
http://www.virustotal.com/en/url/ee8ce2e287962a3a7160f3486ad1e89e3cca3292d4bc64e468e2dc8c6ce5c943/analysis
http://www.virustotal.com/en/file/4c8255518f69681a8b03f7b6f6c89ea86ad8498be8b84e965ce54986cdb22d64/analysis
Sophos denotes it as Troj/Invo-Zip (trojan)
Maybe Hillary goaded a hacker to really do it!
And I would have gotten away with it too if it weren’t for you meddling Krebs!
Nice, lol
I am surprised this has not made the larger news services. The company that is the largest SaaS provider to CPA firms is offline due to “hacking” (click bait title opportunity!!!) and malware. They have the tax returns for probably millions of people, nothing on CNN.
Yet, somehow the news picks up about Norsk Hydro a metals mill company? Just very odd what gets picked up and what does not.
Norsk Hydro has about 35,000 employees, many of which are blue-collar workers. It is a major competitor to Alcoa, which was once upon a time one of the companies listed in the Dow Jones Industrial. Each has revenues exceeding 11 billion USD.
Wolters Kluwer has 19,000 employees. Most likely none are blue-collar workers as it is a services company, not a manufacturing company. Its revenues are less than 5 billion USD.
I hear on on former bluechip and employee size. However, a company that has the SSN’s and tax info on millions of people being “hacked” or more accurately offline due to crypto malware I would think is big news and would get a lot of attention. I just wonder how much their being a publishing and new service provider affects things like this.
Is very irresponsible on their part not to communicate better with their clients. Not good business practice at all 🙁
we are all waiting for something that we know nothing about at this point
Is there any indication that CCH’s non-cloud accounting software was infected? Should customers who downloaded an updated version recently be concerned about the software’s integrity? I mean, if the attackers could write to a directory that hosted software updates, that’s a little scary.
From the technical perspective, personally I don’t think the downloaded on-premises applications will be affected.
Except the downloaded on-premises applications are pretty useless right now, as we can’t update, export, or e-file. I hope their communications department all gets fired, like immediately.