As the world is beset by Log4Shell, arguably the most severe vulnerability ever, one of the biggest payroll processors is reporting a ransomware attack that has taken its systems offline for at least the next several weeks.
The company said on Sunday that services using the Kronos Private Cloud had been unavailable for the past day, with the attack taking down Kronos’ UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions services.
“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” Kronos representative Leo Daley wrote. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”
Ten hours after that advisory, Daley published an update reporting that the cause of the outage was ransomware and that it “may take up to several weeks to restore system availability.”
“We deeply regret the impact this is having on you, and we are continuing to take all appropriate actions to remediate the situation,” the Kronos representative wrote. “We recognize the seriousness of this issue and will provide another update within the next 24 hours.”
Neither advisory made any mention of the method the ransomware attackers used to breach the Kronos infrastructure. A banner notice at the top of each post, however, stated:
We are aware of the log4j vulnerability reported as CVE-2021-44228. We have preventative controls in our environments to detect and prevent exploitation attempts. We have invoked emergency patching processes to identify and upgrade impacted versions of log4j. We are aware of the widespread usage of log4j in the software industry and are actively monitoring our software supply chain for any advisories of 3rd party software that may be impacted by this vulnerability.
Kronos representatives didn’t respond to an email asking if a Log4Shell exploit against its systems was the cause of the initial compromise. It wouldn’t be a stretch, though, for that to be the case. The vulnerability, which gives hackers the ability to execute malicious code with elevated system privileges, is trivial to exploit. Often, attacks can come from users visiting a page with a browser that includes plaintext commands in the user agent.
Kronos said it had retained cybersecurity experts and has notified authorities. It said customers’ on-premises services aren’t affected.
This post will be updated with any new information that comes to light.