Kronos Suffers Ransomware Attack, Suspected on Log4J Exploit

A ransomware attack has hit hard on workflow management solutions provider Kronos. and knocked their services offline. The ransomware attack specifically targeted the Kronos Private Cloud. The attack also knocked offline UKG Workforce Central, UKG Tele Staff, Healthcare Extensions and Banking Scheduling Solutions.

UKG, the parent company of Kronos, said that the ransomware attack could result in its services being out for several weeks. The company even suggested that its customers should seek other ways to facilitate payroll payments and human resources-related activities.

At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve. We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules and to manage other related operations important to their organization.

Kronos Statement

Kronos did not reveal the form of ransomware involved in the attack. Reports suggest that the ransomware attack exploited a Log4shell vulnerability. The Log4shell vulnerability is related to the broad Log4j vulnerability gaining headlines over the last few days.

The Log4j vulnerability involves a flaw in the popular open-source tool for collecting diagnostics data from applications written in the Java programming language.

With the Log4j vulnerability impacting many internet-facing systems, Kronos/UKG may be old news soon. There are already reports of a variety of actors using the Log4j exploit. Microsoft has already seen a common precursor to ransomware, Cobalt Strike, landing on Log4j exploited systems. It won’t be long before hearing of ransomware events tied to Log4j as the initial vector.

Developers use libraries written by third-party companies and engineers to speed up the software release process. Log4j is an extremely basic library that allows log writing in Java applications. The way Log4j vulnerability works is that it comes in three layers: cloud products that directly use the Log4j, web applications that use libraries employing Log4j and off-the-shelf software that’s internally deployed on customer servers and endpoints. The first is where Kronos has been hit by ransomware.

Even with the best of intentions, including serious deployment of cybersecurity measures, Log4shell and Log4j is so serious because it bypasses many traditional protection solutions.

Although Kronos Private Cloud was secured by firewalls, encrypted transmissions and multifactor authentication, cybercriminals were still able to breach and encrypt its servers, this extended shutdown will likely present challenges for many organizations as they seek to roll out bonuses and employees look to request time off ahead of the holidays.

Few of notable Kronos customers include Tesla Inc., Marriott International Inc., Yamaha Corp., Aramark Corp., Samsung Electronics Co. Ltd., and Sony Music Entertainment.

Indicators of Compromise – Till Now Accumulated as a Whole

The initial compilation of Ioc’s . This may get extended in coming days