Wolters Kluwer, the company behind cloud accounting software CCH, has confirmed that its service was knocked offline after malware was discovered on its systems.
Part of the statement reads:
On Monday, May 6, we started seeing technical anomalies in a number of our platforms and applications. We immediately started investigating and discovered the installation of malware. As a precaution, in parallel, we decided to take a broader range of platforms and applications offline. With this action, we aimed to quickly limit the impact this malware could have had, giving us the opportunity to investigate the issue with assistance from third-party forensics consultants and work on a solution. Unfortunately, this impacted our communication channels and limited our ability to share updates.
Precisely what malware was discovered on Wolters Kulwer’s network, and whether it was – for instance – file-encrypting ransomware or designed to allow hackers to steal information has not been disclosed.
That’s a detail which many users of CCH will be keen to discover, as it will help them assess the likelihood of whether other sensitive information may have been exposed as a result of the security breach, although Wolters Kluwer does say that it does not believe that any customer or corporate data was stolen.
There will also no doubt be tough questions asked regarding whether Wolters Kluwer has been as transparent as possible in communicating promptly with its professional accountancy customers about why CCH was inaccessible.
In the absence of initial details, a thread sprang up on Reddit, with frustrated CCH users posting about their experiences and sharing theories of what might be going on.
Although it’s unclear if it’s connected or not, one Reddit user reported that two workers at their firm had received phishing emails yesterday purporting to come from a Wolters Kluwer employee called “Tammy”.
To add to Wolters Kluwer’s headaches, security blogger Brian Krebs reports that last Friday he informed the CCH security team that publicly-accessible file directories containing new versions of the company’s software were “open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access.”
This, no doubt, was the nudge that resulted in the malware being discovered.