Need immediate IT support? Even if you're not a customer call 01329 888625 now for priority support!

Instant IT support? Call 01329 888625

Wolters Kluwer hit by Mega Cortex Ransomware

Posted on 6th May 2019

Wolters Kluwer working to restore all UK services following a reported Mega Cortex Crypto Ransomware infection.

The report first appeared on a Reddit post to which an unconfirmed Wolters Kluwer Systems Engineer named BRaVo_cHoKe confirmed that a Mega Cortex Ransomware Crypto infection was currently being dealt with. 

"I'm a system engineer with WK. The issue is quite large and is not just affecting CCH Axcess, but rather all customer facing products across the health, Tax & Accounting, Governance, Risk & Compliance, and Legal & Regulatory. My office was not affected directly but was told to turn off our backup software and turn off all domain controllers effectively ending our work day."

"Can confirm it's Mega Cortex"

The post was shortly deleted by the user, however can still be seen over at removeddit.com 

The issue (which is currently on-going) is affecting all UK Websites, including support and also the UK secure messaging facility, accountantspace.co.uk, which at this time is not serving any form of DNS queries. 

Another thread on the same Reddit post suggested the outage could be as a result of moving from IBM/SoftLayer to Azure, which could be a possibility given that accountantspace.co.uk currently looks to to Azure DNS for it's Nameservers, yet is currently serving no other DNS records. This doesn't seem to be the same for wolterskluwer.co.uk. 

Wolters Kluwer have officially responded from their official US Twitter account with limited information:

TL;DR If you use any of the online CCH applications, then it’s likely these will be offline until further notice. I’m unsure as to how (if at all) this will affect the likes of CCH Central or other locally installed applications.

[Updated 7th May 2019 - 3.30am]

An official response has been posted on the main Wolters Kluwer Twitter and facebook page, however it's very limited on information. As of this moment, services are still offline and so far no reason has been given for the outage. 

[Updated 7th May 2019 - 3pm]

The Reddit Post has been updated as follows:

One of our clients just received this from a CCH Rep:

"I appreciate everyone’s patience with the fact that this update is just now getting to you (as you might imagine it’s been a busy morning for me). I spoke with many of you yesterday so some of this may be a repeat. As you are well aware, the CCH outage from yesterday is still occurring today. I’m not going to speculate as to the nature of this because I’m sure you’ve already done that for me and I’m aware of what is being said on the forums/message boards and our competitors (thank you to those of you who sent this over to me).

Importantly, many of you are awaiting guidance on what you should be doing with your staff today and unfortunately I do not have a good answer for this. Many of you saw the maintenance window message which said that operations would be back up by 8:30AM CST today, which has come and gone. I have not received any updated communication regarding a timeframe. I understand that many of you are looking to me to provide guidance on what you should do with your people today and I’m unable to provide that, however I will let you know that I am approaching my day with the anticipation that CCH will be down through today given how this has played out.

While I said I’m not going to speculate on the nature of this, I understand that many are concerned about a potential malware attack on areas of the CCH infrastructure. To that end, I will be obtaining our most recent SOC 2 report for you to see the security protocol reports related to our systems and will send over when I get it. Please note that this is not an acknowledgement of this actually being the issue, but rather just an acknowledgement that obviously people are talking and this is a common concern.

I will update this email as soon as I have additional information for you. While many of you know that I’ll go to great lengths to help you out, I’ll respectfully request that you refrain from calling just to get updates (as I’ll probably spend a good 20 minutes talking your ear off while providing no new information). I will update this thread with additional details as they become available (tonight at the latest)."

[Updated 7th May - 10pm]

WK have posted an official statement:

On Monday, May 6, we started seeing technical anomalies in a number of our platforms and applications. We immediately started investigating and discovered the installation of malware. As a precaution, in parallel, we decided to take a broader range of platforms and applications offline. With this action, we aimed to quickly limit the impact this malware could have had, giving us the opportunity to investigate the issue with assistance from third-party forensics consultants and work on a solution. Unfortunately, this impacted our communication channels and limited our ability to share updates.

On May 7, we were able to restore service to a number of applications and platforms.

We regret any inconvenience and that we were unable to share more information initially, as our focus was on investigation and restoring services as quickly as possible for our customers.

We have seen no evidence that customer data was taken or that there was a breach of confidentiality of that data. Also, there is no reason to believe that our customers have been infected through our platforms and applications. Our investigation is ongoing. We want to apologize for any inconvenience this may have caused.

A further update was posted on social media feeds at 10pm as below:

Wolters Kluwer Ransomware

We are yet to receive reports of any services coming back online whilst complaints are still rolling in all over the web from their unhappy clients who still, 48 hours later have no access to their customer data.  

A few eagle eyed customers are now being presented with the following maintenance message when attempting to log in to Axcess. 

CCH Axcess

[Updated 8th May 9am]

Krebson Security have posted an article that details their findings on the 3rd of May, before the WK incident occurred. 

"Early in the afternoon on Friday, May, 3, I asked a friend to relay a message to his security contact at CCH, the cloud-based tax division of the global information services firm Wolters Kluwer in the Netherlands. The message was that the same file directories containing new versions of CCH’s software were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access.

Shortly after that report, the CCH file directory for tax software downloads was taken offline. As of this publication, several readers have reported outages affecting multiple CCH Web sites. These same readers reported being unable to access their clients’ tax data in CCH’s cloud because of the ongoing outages."

This is worrying, since WK customers use these software repositories to download and install the latest updates to their CCH applications. The concern here is that given this folder was writeable to anybody online, those same software updates could have been modified to include malicious code which would then be run on any number of customer systems. 

----------------

At time of writing, the Client Portal (accountantspace) seems to be back online again with reports of products slowly coming back online. However some users report that all systems are still down. 

It's likely we will start to see more services come online throughout today (8th May) as Wolters Kluwer work to restore operations.  

[Updated 8th May - 5.30pm]

No further update so far - Word is trickling through that some systems are coming back online, but the vast majority are still completely offline with still no official word or ETA's for a fix. 

 

[Updated 8th May - 7.15pm]

Updates have been posted both on Reddit and on the CCH Feedback Forum

CCH Axcess Update – Systems RestoredWe have restored network and services for CCH Axcess.Our priority has been to bring the system up and get you back to work as quickly as possible. In order to do that, we have had to make a few choices, and a few functions are currently unavailable:
  1. The e-filing capability is not yet available at this time. We will notify you when it is available; please hold your e-filing until then. Should you attempt to e-file in the meantime, you will receive an upload error message. For now, please save your returns within the CCH Axcess application.
  1. The email capability is performing slower than normal. You will notice a latency when attempting to send and receive email message.
  1. Some articles and news are not accessible via links. Currently you will not have access to links to chat or support content; links to CCH Software news, or links to Knowledge Base Articles/Reviews.
  1. At this time, new users cannot be activated. For now, you will not have the ability to set up new users within the CCH Axcess application.
We will restore these services as soon as possible and will inform you when they are available. We appreciate your patience as we work to enable these capabilities.As previously communicated, certain Wolters Kluwer platforms and applications have been experiencing service interruptions since Monday. We want to apologize for any inconvenience this may have caused.

[Update 9th May - 3:25pm]

Wolters Kluwer have started issuing customers with an update. As reported by Reddit user ManorTwpMan.

 

Dear Customer,

Thank you for your continued patience as we work to fully restore all of our applications and platforms. I am writing to update you on the progress we are making in this regard, as well as provide more context about how this situation originated and how we were able to effectively isolate and contain it before it could have any detrimental effect on customer data.

As previously shared, on May 6th when we started seeing technical anomalies in a number of our applications and platforms, we proactively isolated our systems out of an abundance of caution before any detrimental effects could occur. We have since been working with best-in-class anti-virus and security firms to develop and deploy newly released anti-virus solutions. This process assures a high degree of confidence in the security of our applications and platforms before bringing them back online.

It’s important to clarify that although there was malware on our network, we have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.

As you know, Wolters Kluwer delivers a suite of distinct applications in a variety of formats, each of which is designed to serve distinct segments of the tax and accounting ecosystem. We are in the process of scanning, testing, and restoring each service and application, and because they are distinct, they must be brought back online sequentially. We are restoring our applications and platforms in the following order:

  • CCH® SureTax® (online)
  • CCH Axcess™ (online)
  • CCH® AnswerConnect (online)
  • CCH® Intelliconnect® (online)
  • CCH® Account Research Manager (online)
These following systems are still in process:
  • Electronic Filing System (ELF for medium and large firm customers)
  • CCH® Global fx
  • ATX™ & TaxWise® electronic filing
  • TaxWise® Online™
In short, the service interruptions you have experienced are primarily the result of our aggressive, precautionary efforts to ensure the safety of your data. This is why at this time we are confident that we see no indication of data loss or other effects, nor any potential risk to our customers’ data.
As we’ve noted before, we are working diligently around the clock to completely restore service and those efforts are continuing.
If you have any questions, we have established a dedicated customer support line regarding this incident at 800-930-1753 and a live chat capability at taxna.wolterskluwer.com. We appreciate your continued patience and will work to keep you updated as new information becomes available.
The Wolters Kluwer Team "

 

[Updated 10th May 2.30pm]

A post from Reddit quoted an email received from a Canadian update email:

"Thank you for your continued patience as we work to fully restore all of our applications and platforms. I am writing to update you on the progress we are making in this regard, as well as provide more context about how this situation originated and how we were able to effectively isolate and contain it before it could have any detrimental effect on customer data.

As previously shared, on May 6th when we started seeing technical anomalies in a number of our applications and platforms, we proactively isolated our systems out of an abundance of caution before any detrimental effects could occur. We have since been working with best-in-class anti-virus and security firms to develop and deploy newly released anti-virus solutions. This process assures a high degree of confidence in the security of our applications and platforms before bringing them back online.

It’s important to clarify that although there was malware on our network, we have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.

As you know, Wolters Kluwer delivers a suite of distinct applications in a variety of formats, each of which is designed to serve distinct segments of the tax and accounting ecosystem. We are in the process of scanning, testing, and restoring each service and application, and because they are distinct, they must be brought back online sequentially. We are restoring our applications and platforms in the following order:"

These systems are online:

  • Taxprep and Taxprep Dashboard
  • Cantax
  • CCH iFirm
  • CCH iFirm Tax
  • CCH Document
  • CCH Portal
  • CCH Scan
  • CCH ProSystem fx Practice Management
  • CCH Engagement
  • Aliform
  • FP Solutions
  • CCH Profit Driver
These systems are still in process:
  • CCH IntelliConnect
  • TaxprepConnect (AFR)
  • Cantax and Taxprep EFILE and printing limited version only
  • iFirm Tax T1 and T2 printing, plus CO-17 EFILING
  • CCH Site Builder
  • Cantax and Taxprep download centre
  • CCH Scan Autoflow
  • AliForm Portal

[Updated 10th May 4.30pm]

General consensus online seems that all CCH Services are back online again, however no official statement from Wolters Kluwer has been released. 

Their latest update states that law enforcement has been notified, and that they are working with "best-in-class anti-virus and security firms to develop and deploy newly released anti-virus solutions."

In Summary

The world shall now be watching with interest over the coming weeks as to how this situation develops, and to see what lasting impact this has on Wolters Kluwer and their customers. 

It's obvious that some significant changes will be required to restore faith to their customers, some of whom have been unable to operate for a full working week due to their proactive measures. 

There has also been no official confirmation as to whether this was indeed the Mega Cortex strain of Ransomware which resulted in the immediate shut down of all systems.

Mega Cortex spreads be targeting Domain Controllers, and then uses administrative credentials to spread to other computers on the domain. 

Given the complete and total shutdown of seemingly every system, it would seem this is still very likely the case - however we await a full RFO (Reason For Outage) which I hope is forthcoming once investigations have been completed.  
 

 

Subscribe to our YouTube Channel