Wolters Kluwer was warned on May 3 by Brian Krebs, an author who writes extensively about computer security, about possible security problems with its software. In a post on Krebs on Security, Krebs admitted he had no information that the problems he reported had anything to do with the outages that have affected CCH products and services since May 6. And whether or not the WK operations were hit by the Mega Cortex ransomware virus as some specuate, the outage comes at a time that malware has been reported as hitting large corporations around the world in the last few days.
The three-day outage has stymied CCH users who found themselves unable to do business. Some users say that CCH software, support and phones were down or that the company phones were not being answered. They have been venting their anger at Wolters Kluwer with theories about the situation being kicked around on social media. Most are complaining about what they see as inadequate information from WK.
The situation appears to be in flux. WK reported that on the morning of May it determined it had experienced a malware attack and proceeded to take platforms, software and services off line to prevent its spread and that it was bringing systems back up selectively.
A statement on 1:45 pm May 8 by the company said the CCH Axcess system was back up. Among services not available were efiling while email was performing more slowly than normal. Some articles and news were not accessible via links and new users also could not be set up within CCH Axcess. An updated statement on the website of the parent Wolters Kluwer said the company was bringing its support centers back on line.
However, user reports say Axcess went back down.
Whatever the cause of the outages, Krebs said he asked a friend on May 3 to relay information to a security contact at CCH about his concerns about its software. “The message was that the same file directories containing new versions of CCH’s software were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access,” Krebs wrote.
A Reddit report from supposedly with CCH said the presence of Mega Cortex had been confirmed. Although both the account and message were deleted, it has been reposted on Reddit by another user.
Krebs' post did not touch on the possibility of the attack being caused by ransomware. He did cite what he saw as troubling problems in the software. He said he saw odd PHP and text files in CCH directories “including one that seemed to be promoting two different and unrelated Russian language discussion forums.” He also said, “I sent Wolters Kluwer an email asking how long the file server had been so promiscuous (allowing anyone to upload files to the server), and what the company was doing to validate the integrity of the software made available for download by CCH tax customers"
