UPDATED: What In the Hell Is Happening to CCH?

Explosion

Get excited, Tax Twitter, you’re about to get your moment in the sun. Granted it’s a moment of total panic, but still, a moment.

So, if you haven’t heard, CCH has been borked since yesterday. When we say borked, we don’t mean “some users are having access problems,” rather the entire thing has been nuked to hell. Like POOF.

Fallout 76 nuke
Artist’s rendering of CCH services rn, and by artist I mean me, and by rendering I mean a screenie I took in Fallout 76 after dropping a nuke

It appears this was a prophylactic measure by Wolters Kluwer, though why they would feel compelled to take down the whole enchilada is speculation we’ll save for a minute.

Need CCH support? Yeah, good luck with that.

CCH support down

Late last night, Wolters Kluwer made a statement on Facebook that, as expected, was greeted with a cacophony of criticism and littered with angry emojis.

On May 6, 2019, Wolters Kluwer experienced network and service interruptions affecting certain Wolters Kluwer platforms and applications. Out of an abundance of caution, we proactively took offline a number of other applications as we continue to investigate any impact. This prevented us from having adequate time to provide you advance notice, and for that we sincerely apologize.

We are working diligently around the clock to restore service as soon as possible.

We apologize to our customers for the inconvenience and appreciate your patience. We will provide further updates as they become available.

Obviously we’re not going to be able to get someone from CCH on the phone to ask what’s up, so as is tradition around here, we will instead fuel the rumor mill and speculate wildly as to what could be so bad CCH had to go bye-bye to hide from it.

Let’s start in /r/sysadmin. The popular theory is obviously some type of breach (“hackers” for you olds) or virus. Friendly reminder, people on Reddit are often full of shit so take this with a giant grain of salt.

I have a buddy who works there who said the Canada Office shutdown due to a potential virus outbreak, the other locations shut down as a precautionary.

EDIT: I learned that it may have made it out to some of the other locations before they got most end users to shutdown their systems. I saw another comment here saying they thought it was Megacortex, which would likely mean someone with Domain Admin rights had their credentials ripped off/stolen. I expect the next few days to be quite interesting, as this is no small company.

Someone who probably should have kept his mouth shut and stopped powerleveling on Reddit chimed in in a now-deleted post confirming the cooties in the system.

Sounds similar to what my wife said (she’s an employee). She they found the malware/ransonware in several locations across their network including the New York, New Jersey, Canada and Minnesota office. I know they use Dell for a lot of the cloud based systems.

Here’s another powerleveling blabbermouth who must have rethought doxing himself in the middle of a security breach as he later deleted his comments:

I’m a system engineer with WK. The issue is quite large and is not just affecting CCH Axcess, but rather all customer facing products across the health, Tax & Accounting, Governance, Risk & Compliance, and Legal & Regulatory. My office was not affected directly but was told to turn off our backup software and turn off all domain controllers effectively ending our work day.

He went on to “confirm” the attack is of the MegaCortex ransomware variety, which everyone has been assuming anyway. Again, this is all rumor so no one knows at this point, nor should one expect Wolters Kluwer to come out and say they were hit by ransomware while the attack is still in progress. If, of course, that’s what’s happening.

It seems a lot of people are twiddling their precious little thumbs waiting for CCH to come back.

We’ll update when we know more, and in the meantime … I dunno, not really much that can be done.

Update: Today, May 8. 2019, Wolters Kluwer issued a statement admitting yeah, it was malware. Many services are still down as of this update; however, they are working toward getting them back online. The entirety of the statement can be found below:

On Monday, May 6, we started seeing technical anomalies in a number of our platforms and applications. We immediately started investigating and discovered the installation of malware. As a precaution, in parallel, we decided to take a broader range of platforms and applications offline. With this action, we aimed to quickly limit the impact this malware could have had, giving us the opportunity to investigate the issue with assistance from third-party forensics consultants and work on a solution. Unfortunately, this impacted our communication channels and limited our ability to share updates.

On May 7, we were able to restore service to a number of applications and platforms.

We regret any inconvenience and that we were unable to share more information initially, as our focus was on investigation and restoring services as quickly as possible for our customers.

We have seen no evidence that customer data was taken or that there was a breach of confidentiality of that data. Also, there is no reason to believe that our customers have been infected through our platforms and applications. Our investigation is ongoing. We want to apologize for any inconvenience this may have caused.

Update May 8, 17.00 CEST – For our customers in North America: As we continue to bring our support centers back online, please use this temporary number 800-930-1753 to contact us. While we may not be able to directly answer your question, we will forward your inquiry internally to the appropriate party.

Related articles