Accounting Service Hit with Cyber-Attack

3187590496?profile=RESIZE_710xWolters Kluwer NV (WKNV)[1] develops software that support small and midsized international accounting firms.  During a weekend in May of 2019, a cyberattack took down their software and currently present an interesting case study on how firms should not communicate with customers once hacked. 

WKNV passed via social media sites that due to the attack, they were taking down some of its cloud-based software applications.  Unfortunately, the short posts (48-word statement) did not adequately explain the reason for stopping their applications.   This left many accounting firms frustrated and worried about client data.[2]  The chief information officer (CIO) at WKNV responded to the requests for information with information that once the attack was discovered, their “customers were alerted immediately as soon as we discovered the issue.”  WKNV immediately began working in Holland, their headquarters, to analyze the severity of the attack. 

On the next Monday, a senior tax accountant in Tuscon, Arizona, arrived for work preparing for a busy week.  The firm’s nonprofit clients were facing a 15 May 2019 US IRS deadline to file their tax returns.  Failing to do so may result in financial penalties.   Turning on their office computer, the accountant noticed the software they were uses for everything from entering client data to electronically filing tax returns, was not working.  

The firm was somewhat used to periodic outages of the WKNV software, which includes CCH SureTax and CCH Axcess.  Commerce Clearing House, or CCH, is a subsidiary of WKNV.  But something was different with this glitch.  A message instructed the software was down for “scheduled maintenance” and was not expected to be up and running again until the following day.  Next, they tried to check the NKNV website, yet that was offline too.  The firm went back to using the telephone and call the US representative for WKNV.  The WKNV customer support had a pre-recorded message stating they were “experiencing technical difficulties.” Then the line went dead.  The Arizona based firm decided to check social media, where CCH customers across the world were complaining of the same issue.  Almost 24 hours after the outage first began, the WKNV short message was posted to its US Facebook page about its “network and service interruptions,” but not on a social media channel the company had used for such important communication in the past.   

The malware attack WKNV was hit with, followed a growing list of high-profile companies and institutions whose core assets have been the subject of devastating cyber-attacks.  Ironically on the same day of the WKNV attack, the city government of Baltimore, MD was hit by ransomware, a type of malicious software that locks down computers until somebody pays the attacker a ransom fee.[3]  There is no apparent connection in these attacks, other than exposing the severity of malware attacks. 

The chief of cyber threat detection at Price Waterhouse Cooper (PwC) in the UK, said the WKNV incident was attacking the “software supply chain,” especially enterprise software that is used across a particular industry or sector.  This is an increasingly popular tactic for sophisticated hackers, including groups associated with nation-states.  About 24 hours after WKNV confirmed that malicious software was in its network was causing the software disruption.  WKNV then pulled more of their products offline to try and limit damage.  This bright many firms to a standstill, including the Arizona firm.  Unable to access their time keeping records on CCH, the firm missed its payroll deadline.  As remediation, the accountants considered resorting to old-fashioned paper IRS forms to meet tax filing deadlines for their clients.  But, even doing that was tricky because all of the client data they needed to fill in those forms was inaccessible; all stored on the WKNV-CCH servers.

Many WLNV clients are small to midsized accounting firms who rely on a whole suite of products.  The Arizona firm has about 200 accountants and consultants, located in various US states.  They use CCH’s software not just to file client tax returns, but to keep track of their own billing and accounts receivable.

On 8 May 2019, Wolters Kluwer published a statement explaining they created a temporary telephone support line, but with a caution: “While we may not be able to directly answer your question, we will forward your inquiry internally to the appropriate party.”  It took until 9 May 2019, to restored service and accountants were able to get back to work.  Clients complained that the WKNV communication during the incident was insufficient, poor and caused even more confusion.  It is reported that even WKNV staff were not properly notified. 

WKNV later reported that there was no evidence that customer data or systems were compromised or that there was a breach of confidentiality of that data and that law enforcement had been alerted to the attack.  Currently it remains unclear what type of malware hit WKNV, but according to some reports the ransomware involved in the attack is MegaCortex. MegaCortex was first discovered by security experts at Sophos in January 2019, it is targeting corporate networks in the United States, Italy, Canada, France, the Netherlands, and Ireland.  MegaCortex may have a relationship with threat actors distributing the “Emotet” and Qakbot” trojans.  MegaCortex is distributed via a “convoluted infection methodology” that “leverages both automated and manual components”. Researchers found MegaCortex primarily uses automated attacks conducted through an unnamed “common red-team attack tool script” that then creates a “Meterpreter” reverse shell.[4]

Hackers will often try to compromise the servers that send out updates and patches to all users of that software, passing off their malware as a legitimate update.  In some cases, the hackers’ target may be one specific firm that they know use that software and the other firms in the industry are simply considered “collateral damage.” This is called “a waterhole attack.”   Keeping your network safe takes tools and expertise that help protect your valuable data.  Cyber Threat Analysis Center (CTAC), RedXray and ThreatRecon are tools that Wapack Labs offer to help guard your systems.

Wapack Labs is located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com    

 

[1] https://wolterskluwer.com/

[2] https://www.accountingtoday.com/articles/a-massive-accounting-hack-kept-clients-offline-and-in-the-dark

[3] https://www.cnbc.com/2019/05/26/wolters-kluwer-baltimore-ransomware-attacks-have-big-ripple-effects.html

[4] https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/

Wolters Kluwer NV (WKNV)[1] develops software that support small and midsized international accounting firms.  During a weekend in May of 2019, a cyberattack took down their software and currently present an interesting case study on how firms should not communicate with customers once hacked. 

WKNV passed via social media sites that due to the attack, they were taking down some of its cloud-based software applications.  Unfortunately, the short posts (48-word statement) did not adequately explain the reason for stopping their applications.   This left many accounting firms frustrated and worried about client data.[2]  The chief information officer (CIO) at WKNV responded to the requests for information with information that once the attack was discovered, their “customers were alerted immediately as soon as we discovered the issue.”  WKNV immediately began working in Holland, their headquarters, to analyze the severity of the attack. 

On the next Monday, a senior tax accountant in Tuscon, Arizona, arrived for work preparing for a busy week.  The firm’s nonprofit clients were facing a 15 May 2019 US IRS deadline to file their tax returns.  Failing to do so may result in financial penalties.   Turning on their office computer, the accountant noticed the software they were uses for everything from entering client data to electronically filing tax returns, was not working.  

The firm was somewhat used to periodic outages of the WKNV software, which includes CCH SureTax and CCH Axcess.  Commerce Clearing House, or CCH, is a subsidiary of WKNV.  But something was different with this glitch.  A message instructed the software was down for “scheduled maintenance” and was not expected to be up and running again until the following day.  Next, they tried to check the NKNV website, yet that was offline too.  The firm went back to using the telephone and call the US representative for WKNV.  The WKNV customer support had a pre-recorded message stating they were “experiencing technical difficulties.” Then the line went dead.  The Arizona based firm decided to check social media, where CCH customers across the world were complaining of the same issue.  Almost 24 hours after the outage first began, the WKNV short message was posted to its US Facebook page about its “network and service interruptions,” but not on a social media channel the company had used for such important communication in the past.   

The malware attack WKNV was hit with, followed a growing list of high-profile companies and institutions whose core assets have been the subject of devastating cyber-attacks.  Ironically on the same day of the WKNV attack, the city government of Baltimore, MD was hit by ransomware, a type of malicious software that locks down computers until somebody pays the attacker a ransom fee.[3]  There is no apparent connection in these attacks, other than exposing the severity of malware attacks. 

The chief of cyber threat detection at Price Waterhouse Cooper (PwC) in the UK, said the WKNV incident was attacking the “software supply chain,” especially enterprise software that is used across a particular industry or sector.  This is an increasingly popular tactic for sophisticated hackers, including groups associated with nation-states.  About 24 hours after WKNV confirmed that malicious software was in its network was causing the software disruption.  WKNV then pulled more of their products offline to try and limit damage.  This bright many firms to a standstill, including the Arizona firm.  Unable to access their time keeping records on CCH, the firm missed its payroll deadline.  As remediation, the accountants considered resorting to old-fashioned paper IRS forms to meet tax filing deadlines for their clients.  But, even doing that was tricky because all of the client data they needed to fill in those forms was inaccessible; all stored on the WKNV-CCH servers.

Many WLNV clients are small to midsized accounting firms who rely on a whole suite of products.  The Arizona firm has about 200 accountants and consultants, located in various US states.  They use CCH’s software not just to file client tax returns, but to keep track of their own billing and accounts receivable.

On 8 May 2019, Wolters Kluwer published a statement explaining they created a temporary telephone support line, but with a caution: “While we may not be able to directly answer your question, we will forward your inquiry internally to the appropriate party.”  It took until 9 May 2019, to restored service and accountants were able to get back to work.  Clients complained that the WKNV communication during the incident was insufficient, poor and caused even more confusion.  It is reported that even WKNV staff were not properly notified. 

WKNV later reported that there was no evidence that customer data or systems were compromised or that there was a breach of confidentiality of that data and that law enforcement had been alerted to the attack.  Currently it remains unclear what type of malware hit WKNV, but according to some reports the ransomware involved in the attack is MegaCortex. MegaCortex was first discovered by security experts at Sophos in January 2019, it is targeting corporate networks in the United States, Italy, Canada, France, the Netherlands, and Ireland.  MegaCortex may have a relationship with threat actors distributing the “Emotet” and Qakbot” trojans.  MegaCortex is distributed via a “convoluted infection methodology” that “leverages both automated and manual components”. Researchers found MegaCortex primarily uses automated attacks conducted through an unnamed “common red-team attack tool script” that then creates a “Meterpreter” reverse shell.[4]

Hackers will often try to compromise the servers that send out updates and patches to all users of that software, passing off their malware as a legitimate update.  In some cases, the hackers’ target may be one specific firm that they know use that software and the other firms in the industry are simply considered “collateral damage.” This is called “a waterhole attack.”   Keeping your network safe takes tools and expertise that help protect your valuable data.  Cyber Threat Analysis Center (CTAC), RedXray and ThreatRecon are tools that Wapack Labs offer to help guard your systems.

Wapack Labs is located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com    

[1] https://wolterskluwer.com/

[2] https://www.accountingtoday.com/articles/a-massive-accounting-hack-kept-clients-offline-and-in-the-dark

[3] https://www.cnbc.com/2019/05/26/wolters-kluwer-baltimore-ransomware-attacks-have-big-ripple-effects.html

[4] https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!