Reply to: FirstFreelance Hacked Too

Ransomware goes for files on file systems (desktop and servers). Not web apps.
We know it was ransomware, and we know the group that did it.

I speculate that the reason their web apps were down was because IT pulled the plug to limit damage. That is a standard incident response to ransomware.
And once they had identified and removed all ransomware they turned systems back on.

It also looks like SJD online (online.sjdaccountancy.com) is 'back', sort of. I was in the process of moving from them anyway but this obviously sealed the deal.

All transactions that were there before it went offline, are still there. So if it was ransomware then it was a very current backup they were able to restore from at least.

https://www.theregister.com/2022/02/..._vice_society/

Confirmation of personal data from the Optionis hack being spilled over a TOR marketplace and-or onion site.

Also I'd like to point out FirsFreelance's address on that contact page is the exact same one as SJD's in Hemel Hempstead.

SJD Online was also using PHP 5.3, which was EOL'd hundreds of years ago by now and suggests they aren't even bothering to keep their systems up to date.

I'm not saying they got hacked this way, but stuff like this is always a symptom of poor practice.

Depends how much was encrypted before they spotted it. And depends how good their backups are or whether the backups got hosed first (common tactic).
I guess we won’t find out unless they go bankrupt and the administrators make it public knowledge. Which is quite probably if they’re owned by a hedge fund.
Glad I’m not with them. Glad I completed my SATR already.
Really glad I left them about 6 years ago when I had some benchtime.

Yes, I suggested ransomware when the first Umbrella got taken down. It can be both. Log4J vulnerability to get access, then inject ransomware.

Too late for that?

Both PE investments from the looks of it

Occam's razor would suggest ransomware though. And they have shut down/disconnected all other systems to prevent destruction of more information whilst they isolate it. **** the punters for now, they just want to avoid a huge Bitcoin bill.

I have only the slightest understanding of the techy stuff here. It would be too good to be true, I suppose, that these awful companies never reopen because all their systems are wrecked?

If that were to come to pass, it would be mildly inconvenient for some contractors (who for their own good should have moved their business accounts anyway). But overall it would be very good for the future of the industry.

I guess it's just too good to be true though.

But you are looking at the marketing / sales pitch websites not the background portals where the real work is done.

You need to identify what the urls for those portals were and track those not the marketing pages on the (probably wordpress based) branded sales and blog website.

A complete loss or partial loss?

One has to look at past IPs referenced to determine the value vs effort in looking at vulnerability tracking websites, rather than waste time. If a common accounting package or software is at one of those IPs, I would look further into that, given the nature of Parasol's business. If it was a tyre company at that IP, I wouldn't bother looking further.

The more interesting thing is that Parasol/SJD have left their cloudwaysapps server online but redirected the DNS that lead to this elsewhere. To save me time, it's easier if somebody can reference the .aspx/.asp server mentioned, as otherwise it takes at least 24 hours to perform a scan of all IPs and their vulnerability history, and as you mention Eek many of these will be reassigned IP addresses.

As Paralytics has mentioned, there is a high chance that this is the log4j vulnerability in action. Even if it was patched, other issues emerged. There is still no patch that leads to a 100% fix yet.

I love all the conjecture (someone alway wants it to be an disgruntled ex-employee), but I suggest Occam's razor should be at play here. ie. a software vulnerability is being used against the various umbrella/finance companies and those that want to benefit from that are working their way through the IP address stack across the public facing internet looking for targets. Our life-lens means it looks like these subset of companies are being targetted, but that's not necessarily the case. I'd not assume the same attacker for each and every target either.

But, if we're doing conjecture, I'm going with the Log4J vulnerability that was identified at the end of last year.

agentzero I'm at a complete loss as to what you are saying that,

A number of forward facing marketing websites (as that is all the core www.xyz.com sites are) are now pointing at a ip address of a firm that does website marketing for Professional service firms (i.e. accountants).