Malware, Content

Wolters Kluwer Malware Attack Cleanup: IRS Grants Tax Filing Extension


After a malware attack recently shuttered Wolters Kluwer’s cloud-based CCH tax wing, the Internal Revenue Service (IRS) has extended the tax filing deadline for the company’s customers.

Twitter: Wolters Kluwer
Twitter: @Wolters_Kluwer

Based on what it called “technical abnormalities” seen on a number of its platforms and cloud-based applications, the $4.8 billion Wolters Kluwers said in a blog post last week that it had taken down a wider range of systems as a precaution to limit what it subsequently determined was a malware infection. It then enlisted the help of “third-party forensics consultants” (perhaps managed security service providers, we wonder?) to investigate further, officials said.

“Unfortunately, this impacted our communication channels and limited our ability to share updates,” Wolters Kluwer said. “We regret any inconvenience and that we were unable to share more information initially, as our focus was on investigation and restoring services as quickly as possible for our customers.” So far the Netherlands-based firm said it had not discovered any evidence that customer data had either been stolen or compromised. “There is no reason to believe that our customers have been infected through our platforms and applications. We want to apologize for any inconvenience this may have caused,” the blog post read.

Wolters Kluwer Cyberattack: Disaster Recovery Update

In an update posted on Monday, May 13, 2019, Wolters Kluwer said it had restored service to the “vast majority” of its customer applications and platforms. “Our processes and protocols provide a high degree of confidence in the security of our applications and platforms before they are brought back online,” officials said. “We continue to work around the clock to restore remaining services and we are actively communicating with our customers to update them on the latest status and to provide guidance and support.” In an earlier update posted on May 9, the firm informed customers that it had brought online its CCH SureTax and Axcess systems and expected to restore service to a number of other applications and platforms.

As for the IRS, Wolters Kluwer's latest advisory said that affected parties have until May 22 to file tax returns. “As long as the filing is done on or before the extension date, it will not be considered late by the IRS and, consequently all related penalties and interest will be waived,” the advisory said. The company said it notified customers of the extension on Friday, May 10.

MegaCortex Ransomware Involved?

The IT services provider’s ongoing internal audit of the incident notwithstanding, it has yet to provide any details about the attack. Some are suggesting that the event may have involved the ransomware MegaCortex, Security Week said. Initial signs of the malware attack date to May 3 when KrebsonSecurity noticed that the “same file directories containing new versions of CCH’s software were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access.” In short order, some users reported outages affecting a number of CCH websites and couldn't get to their clients’ tax data in CCH’s cloud, Krebs said.

Inasmuch as Wolters Kluwer counts roughly 95 percent of Fortune 500 members among its clients, the outage and filing extension likely includes a number of prominent companies. The company directed customers needing support to call its dedicated hotline at (800) 930-1753.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.