FirstFreelance Hacked Too

I'm very interested to know why they are being hit. I would have thought being a forum of IT bods we would have managed to find out exactly what the root cause is, possible a package they all use for example. I'm surprised we are in to our, what, fifth have and still don't know what app it is.

Disgruntled contractor perhaps?

Disgruntled potential FCSA member is the story I've now heard from multiple separate sources

The story is that the FCSA took their money and then said Nope.

A possibly insecure or possibly unprotected Windows server directly connected to the internet and serving up .asp/.aspx has been mooted in another thread as a potential for the Parasol attack.

Yep by me - see the more nuanced answer above via multiple sources.

I can only speak for what's happened to Parasol group, but as I've mentioned on other threads I hope this is the end of SJD, Nixon Williams, and all the other companies brought under the Parasol umbrella company. They aren't cheap and cheerful and have no excuse for paying staff poorly, hiring naive young non accountants, treating their customers with contempt.

These companies might use Xero and Freeagent, but I expect that the central cloud management IT company have either been hacked, with someone using a known exploit via this company. If they haven't had a WAF set up correctly and tested then it is possible that older junk accounting software has been implemented in the cloud instance with no WAF or partial WAF configuration.

If anybody has worked for RBS, they will know that sprawling systems and undocumented architecture are standard there. I expect accounting firms are the same and have lots of legacy software that they haven't updated for ages.

In the case of First Freelance, Nixon Williams, SJD, Parasol, they had their phone lines go offline and become unreachable too. Laterally moving within a correctly configured cloud instance is almost impossible, so I think some commonality not yet revealed has caused this outage. It is likely to be a murky mix of multiple things. Compromising one piece of software shouldn't allow a hacker to move laterally across cloud estate. Physical estate, possibly so.

If anybody from these companies wants to report here anonymously then that would be very helpful, particularly if you are thinking of leaving one of these companies or have already left.

Nah! Thats on the scale of my hamster ate the security certificates!
My money is on the Turkish, Ukrainian or Romanian mafia's
North Korea is a possible too but unlikely. This is looking like crime not a low grade attempt to embarrass a western government.

Actually it's just part of the Optionis group so part of Paraosol/ NW so it's the same attack

Acquisition of First Freelance by Optionis Group Limited - BDO

There are some options here, assuming this is true for a minute: they ran this server in the same cloud VPC with all other services, perhaps even the database. It's then possible databases were unencrypted and they acquired other passwords to crucial services and so extracted those before installing ransomware.

If this is an on site installation and not cloud, then it's possible the hackers have taken everything and encrypted much other stuff, including backups. These companies don't hit me as being knowledgeable about IT or architecture. Due to the large number of mess ups they have made, I hope they are one way encrypted with ransomware and can't return to service.

I have sympathy for the normal human workers affected and contractors affected by this. I have no sympathy for the management, as they have been awful for a few years now and there has been fair warning on this forum, including my own experience that seen a friend I helped recover from a lot of money lost due to managers in one of these firms lying about submitting accounts and companies house striking off the company, with all bank accounts froze. He had just lost his wife to covid. Court date still awaits.