Wolters Kluwer “Still Down” From May 6 Cyber Attack

There is never a good time for the information systems of one of the world’s largest hosted services providers to go down, but in this case, at least it wasn’t April 6th.

One of the Dutch firm Wolters Kluwer’s big services is CCH, the online tax software that many accounting firms, large and small, use.

CCH does have a version of their software that you can install on your own servers, but like many software providers, they want the monthly recurring revenue (MRR) that comes from a hosted version, so they push very hard to get users to use the online versions of their software.

So when, on May 6th, the firm, which provides services to clinicians, nurses, accountants, lawyers, audit, risk, compliance and regulatory servers found out that they were having “network and service issues”, that was not something that executive management wanted to hear.  The  media says that the firm started seeing “technical anomalies” and an investigation discovered malware.  Brian Krebs, a former WaPo reporter and now security blogger started hearing reports several days before, on May 3rd and he reported what he heard to Wolters Kluwer at the time.  Some reports said the infection was MegaCortex, a enterprise class ransomware attack.

It is also something that their clients, who often work against deadlines, did not want to hear.

Worse yet, because they had to shut down many of their services, they didn’t have a good way to tell their clients what was happening.

Customers resorted to posting messages on the company’s Facebook page.  Some said that the outage was even affecting the locally installed Taxprep T1 and Taxprep T3 software.  This is not completely unexpected as that software probably gets information – forms and rules perhaps, from an online repository.

Customers also said on Facebook that they were not terribly happy with Wolters Kluwer’s level of communications.  They said “WK needs more professional ways to communicate with corporate clients than through Facebook posts.  We’re running businesses not planning reunions.  I only found out about this thread from a google search.  Facebook isn’t exactly my go-to for reliable information pertaining to business”.

WK said that they restored some services on the 7th but did not have any ETA for when everything was going to be working again.

In a tone-deaf response to the situation, they said “Our process and protocols assure a high degree of confidence in the security of our applications and platforms before they are brought back online.  We have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.”

Maybe they should start with “we are sorry”.

When one media outlet reached out for information, WK did not even respond.

Enough about the details of this incident.  Lets look at what they did wrong and what YOU would do in the same circumstances.

NUMBER ONE  – It seems like (I have no inside information) that their cybersecurity incident response program (CSIRP) is inadequate.  While they are not the first  (or last) large company (over 4 billion Euros a year) to fail to have an adequate CSIRP, that doesn’t give them any forgiveness.  Remember the totally botched incident response from Equifax after their breach?

While Wolters Kluwer will survive this – including the inevitable breach of contract and breach of fiduciary responsibility lawsuits that will happen – small companies just literally close their doors.  Between the reputation damages, the breach response mitigation costs and the distraction, your average company is going to be very stressed over an incident like this.

If you use online services or provide online services, is your CSIRP up to the task?  While the needs of service providers and customers are different, both need FREQUENTLY TESTED CSIRPs.

It appears clear that they did not think about how to communicate with their customers (what a crisis communications expert brings to the party) in the event of a major outage.

While we don’t know yet whether they had cyber breach insurance, do you have it?  Not only does it help pay for the cost of responding to an incident, but it gets you a lot of expertise.

If you use online service providers, do you have a business continuity program that allows you to continue conducting business if one of your service providers goes offline like Wolters Kluwer did?  I might add – WITH NO WARNING!  In this case, it looks like at least parts of the operation were offline for several days.  How would you continue to do business?

Notice the communication that came from the lawyers in their statement,  “We have seen no evidence that customer data or systems compromised“.  This is dramatically different than “no customer data or systems were compromised”.  If you were completely clueless, you would have no evidence.  That doesn’t mean that your data wasn’t taken.

If you are using an online service provider, what does your contract say about service level agreements or damages.  Most of the time the damages are limited to the amount of money you paid during the time they were down.  Let’s say that the service costs you $10,000 a month and it was down for 2 days.  That means you might get as much as $10,000/30×2=$667.  Will $667 cover your losses?  Just checking.  That assumes that the fine print doesn’t let them completely off the hook.

It doesn’t even look like they were doing a good job of responding to Facebook posts.  Their Facebook site currently says:

Please visit our website for an update on our progress with restoring our applications and platforms. We have already brought online several of our systems, including CCH SureTax and CCH Axcess. We are fully committed to restoring remaining services as quickly as possible for our customers. Our teams are working hard around the clock to completely restore access, and appreciate your continued patience. https://bit.ly/302ekMF

The post on their web site really doesn’t have a lot of information on it other than they are working hard on fixing things, which I am sure that they are.

Next lets talk about logging.  VERY comprehensive and detailed logs are needed if you are going to be able to figure out if anything was stolen.  That is why in many cases, company are forced to assume data was stolen, even though they really don’t have a clue.

And don’t forget about backups.  Is everything backed up?  Are you sure?  Time and again we hear about companies that thought everything was backed up only to find out that it wasn’t   And while it is okay if it takes a long time to backup your data, if it is going to take a week to restore it, that could be a problem.

Lastly, lets talk about disaster recovery.  Sometimes when you get hit by a ransomware attack, your backups get hit too.  While it is hard to protect your DR site (you DO have a DR site, right?), it is possible.  The challenge is how long it will take you recover.  And that is directly related to cost.  The shorter the recovery window, the more money it is going to cost.  But, you need to think that through and have realistic expectations.  Don’t stick your head in the digital sand and hope.  That is not a great strategy.

Bottom line – pretty much every company will have a bad day – or week at some point in time.  The real question is how you would respond to it.

There is good news, assuming that you are neither Wolters Kluwer or one of their customers.

You have free training on how NOT to handle a breach.  All you need to do is watch what they are doing and ask if that would be how you would like to be treated if you were their customer.

If you are one of their customers – and there are tens of thousands of you out there – I’m sorry that they are not better prepared.

Information for this post came from SC Magazine and Security Week.

Security News for the Week Ending May 10, 2019

Hackers Wiping Github and Other Repos

Hackers are attacking repositories of users on Github, Gitlab and Bitbucket, leaving a ransom note that says pay up if you want your software back.

The ransom isn’t much – around $500, – which may cause people to pay up rather than trying to recover the data, which I assume is their strategy.

One possibility is that users have the password embedded in other repositories in clear text and the hackers were able to find those passwords.

Key point here is to make sure that you have backups OF ALL OF YOUR CLOUD BASED DATA.  Today it is Github;  tomorrow it is something else.  If you care about your data, make sure that it is securely backed up.  Offline backups are best because it is hard to wipe something that is not connected.  Source: Bleeping Computer.


Remember Shadow Brokers – China Already Had the Tools That Were Released

Remember all the fury a few years ago when Shadow Brokers released a whole bunch of NSA hacking tools?  Symantec now says that China already had those tool a year earlier and was using them against others.  Was NSA hacked?  Apparently not – China captured the NSA tools that were being used on them and repurposed them.

It is hard to keep these tools under check.  If you use them people will likely discover that fact and if they are motivated, they may use them against you.   In this case, China used them hacking targets in at least 5 countries including one telecom carrier where they got access to hundreds of thousands or millions of private communications.

After Shadow Brokers released the tools, China felt even bolder to use them because now they weren’t secret any more and would soon be patched.

Keeping these secrets under wraps is basically impossible.  Source:  The NY Times.

Israel Blows Up Palestinian Hackers

In an unusual move, Israel blew up a building that it said was used by Hamas for cyber attacks – in direct response to current or future Hamas cyber attacks, according to a press release from the IDF.

Neither side is saying much beyond that Israel did blow up the building.  No one is saying if there were casualties.

Apparently this facility was known to the Israelis.  This points to the likely escalation of cyber war into kinetic war as large countries fear what small countries can do in cyberspace.  This likely causes an escalation into cyber warriors operating out of spaces which would cause collateral damage if bombed, such as schools, hospitals and shopping malls.  Source: Gizmodo.


A Few More Details On Cyber Attack Against Western US Power Utility

We are hearing a few more details about the cyber attack on a so-far unnamed western US power utility.

The attackers, it is now being anonymously reported disabled the utility’s Cisco ASAs.  This is particularly scary since Cisco is pretty much the 800 pound gorilla in that space and their Adaptive Security Appliance is used by hundreds of thousands (or more) of businesses.  It is certainly possible that the ASAs were configured insecurely or missing patches (security patches are typically not available to owners unless they have a paid up maintenance plan, which I HOPE an electric utility would have).

Given how critical the electrical grid is in the US and how fragile it is, this is a bit of a wake up call for those utilities (water, power, gas, phone, Internet, etc.) that have not yet drunk the security Kool-Aid.  Source: EENews.


Navy May Be Getting Serious About Cybersecurity

Last year the Navy decided that having a CIO was superfluous and eliminated the position as unnecessary (See article).   They decided that the Undersecretary of the Navy could manage all those pesky IT and security details in his spare time.

In March the Navy released a SCATHING report on how bad their cybersecurity really was.  Now they are working on asking Congress to approve adding a position at the Assistant Secretary level, responsible for IT and security.

They also are looking at training (too basic) and discipline (can cyber-mistakes get you fired).

There is a report due June 1 outlining the roles, responsibilities and staffing for a Assistant secretary for cyber with a plan to role it out in July.  March.  June.  July.  This is amazingly fast for an organization as large as the Navy.



Google Trying to Compete With Apple in Android Security

I think it would be hard to argue with the statement that when it comes to mobile (phone) security, Apple has it all over Google.

For the most part, other than for the Google branded phones, that is because they have to work through the handset manufacturers and wireless carriers.

Apparently, not any more.

For new phones running Android Q, currently in beta, Google will directly install updates for 14 modules of the Android OS – Without the user even having to reboot.  This is moving Android (very slowly) in the direction of a micro kernel operating system like Minix 3.0 (full disclosure – my brother’s team wrote Minix 3.0).

The 14 modules are:

Captive portal login
DNS resolver
Documents UI
Media codecs
Media framework components
Network permission configuration
Networking components
Permission controller
Time zone data
Module metadata

If one of these modules is updated, they stop the service, update it and restart it.  Transparently to the user.  And dealing out both the handset manufacturer and the carrier.

But only for phones that come with Android Q out of the box – not those that get it via an upgrade (probably due the the license agreement between Google and the handset vendor).

Handset manufacturers CAN opt out of this, called project Mainline, but why would they?

Android Q comes with 50 security enhancement in addition to this including TLS V3, MAC address randomization, increased control over location data and better user control over what apps have what permissions.

For users, they should be looking for phones that ship with Android Q out of the box and where handset manufacturers are supporting project Mainline.

For users, whether Q comes out of the box or via an upgrade, you still get the new security features.  If you are a security conscious Android user, you should definitely look for Q on your next phone.

Source: ZDNet.

Supply Chain Attacks Are Going Strong

This time the attack is against an eCommerce platform, PrismWeb, that is used by College bookstores.

The attack is similar to other attacks, in the the hackers somehow got into the company’s system and inserted a tiny bit of Javascript that steals credit card data – very similar to Magecart that is affecting sites from TicketMaster to British Airways.  PrismWeb is integrated into the various college bookstore websites and when a student goes to checkout, the malware is downloaded from PrismWeb as part of the Javascript needed to operate the checkout process.

These attackers are clever in that the attacks take the data, format it as JSON, encrypt it and upload it in a way to make it look like Google Analytics data.

The data being stolen is credit card number, expiration date, CVV, billing name an address and phone.

Over 200 college bookstores have been affected, translating to tens of thousands of students – or more.

What is important to understand here is the concept, not the fact that 200+ colleges have been impacted.

If you use a service and that service has access to your data (remember card data is only one class of data these guys might want – trade secrets and medical data are two others, for example), you are potentially at risk if you don’t protect yourself.

One thing that all of these attacks have in common is that the data is being uploaded from your site to the attackers.  If your site should not be uploading data unsolicitedly (as in not in direct response to a user’s query), you need to be aware id this is happening and alert.

Of course, attackers can change their MO, but so far, of the thousands of sites affected, this is a common theme.

Ultimately, the problem is with the vendor.  Somehow they were compromised.  And the compromise was not detected.

In this case the customers – the 200+ college bookstores – are left to clean up the mess from the vendor.

MAYBE they will be compensated.  Maybe they will have to sue their vendor (that is no fun and will not get them any money for years, even if they win).  That is all a function of how well their Vendor Cyber Risk Management process works.

Ultimately, it is your problem to deal with and right now, most companies are not paying enough attention to it and the hackers are having a field day.  That is, until they are hacked.  At which point they throw millions at it.  Not a great strategy  – for YOU or for YOUR CUSTOMERS.

Source:  Bleeping Computer.


Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.


Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.


Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.


Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.


Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.


Citrix Fesses Up More Details About Their Breach

One good thing about breach notification laws – we tend to find out more information about what actually happened.

Last month Citrix announced that hackers broke into their network and stole documents – corporate secrets.  They said they found out when the FBI came to tell them (that probably was not fun to admit).  Security firm Resecurity said that the hackers stole 6 terabytes of data.  Citrix said it was part of a sophisticated counterespionage campaign by a nation-state.

Now we are hearing more of the story because Citrix is required to report the breach to the California Attorney General.  The letter says, in part, that they got a visit from the FBI on March 6.   They started an investigation  after being notified and currently believe the hackers got in around October 13, 2018.  This means that the hackers had access to the systems for about 5 months before the FBI told them.  As opposed their their original statement that the hackers stole business documents, they are now saying that they stole, among other things, documents about current and former employees and their dependents.  This includes personal and financial information.

In a stroke of brilliance, Citrix selected Equifax, the company who had the largest breach of personal information in US history, to provide identity theft protection.

Citrix is also admitting that the hackers likely got in using a password spraying attack.  Password spraying is where hackers use millions of passwords taken from old breaches and try them at random.  Not exactly a high tech attack.

This likely indicates that Citrix was not using multifactor authentication – otherwise password spray attacks would  not work.

So, one of the premier tech companies, who is a vendor to the federal government, was unaware that hackers were inside their systems for 5 months and stole 6 terabytes of data and the only reason their found out what that the FBI told them.

They also, apparently, did not have sufficient logging and alerting in place to detect the theft of 6 terabytes of data.

And while Equifax’s breach response services may be okay, the optics of it are terrible.

It appears from what they are saying that these attackers got in by the digital equivalent rattling doorknobs until they found one where the lock fell off in their hand.

If I was a customer of Citrix, I would be looking at a different vendor.

Now here is the important part.



If you don’t know the answer to that question and cannot confidently explain why, then you may be in the same boat as Citrix.  And right now, that boat has holes in it and is taking on water.

If you need help, come talk to us.  It will take work, but it is doable.   Source: The Register.