Cloud computing technology with locks showing ransomware attack on payroll provider

Widely-Used Kronos Payroll Provider Down for “Weeks” Due to Ransomware Attack; Was Log4Shell Involved?

A major payroll provider used by thousands of businesses in the United States, including government agencies, is reporting that it expects to be down for “weeks” due to a devastating ransomware attack.

Kronos, known to be used by several thousand companies ranging from Tesla to National Public Radio (NPR), had its Private Cloud service go offline on Monday. This element is central to its UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions services used to track employee hours and process paychecks. The company confirmed that it had discovered an ongoing ransomware attack on December 11 and had taken the services hosted in Kronos Private Cloud offline as part of its mitigation measures. Kronos did not give a timetable for recovery but said that it expects it to be at least several days, if not weeks, before the services are fully online again.

Though it has not been confirmed, there is speculation that the notorious Log4Shell vulnerability was involved given that the Kronos cloud services are known to be built on Java to a great degree.

Ransomware attack disrupts major payroll provider ahead of Christmas

The ransomware attack apparently did so much damage that Kronos expects it to be several days before even some level of service is restored. Given that full recovery could take weeks, the company has urged customers to look for other payroll providers to fill in for now.

It is not known what malware was involved in the ransomware attack or how it got started, but for some reason Kronos opted to put out a prominent notice about its awareness of the recently-discovered Log4J vulnerability and its ongoing efforts to patch out its systems to secure against it. While it did not make a direct connection between that and the ransomware attack, this plus the fact that the Kronos cloud services are built with a great deal of Java has led to speculation that the highly publicized Log4Shell exploit may have been involved.

Whatever the vulnerability source, Erich Kron (security awareness advocate at KnowBe4) notes that the holiday vacation period for many companies is when cyber criminals can be expected to pull double shifts: “Ransomware gangs often time attacks to take place when organizations are short staffed due to holidays, or when they are extremely busy, with the hope that the attack will take longer to spot and response times will be much slower. In addition, the pressure to service customers during these crucial times can be very high, making it more likely that the victim will pay the ransom in an effort to get operations back up and running quickly … Unfortunately, the Grinch has impacted Christmas for a lot of people using the KPC services. Hopefully, this does not result in a subscription to the ‘Jelly of the Month Club’ in lieu of the annual bonuses.”

Log4j attacks surge after vulnerability disclosure

The Log4J vulnerability was a bombshell due to the scope of possible victims (essentially any web servers running Java) and the ease with which an attacker could use it. It was disclosed to the public on December 9, and by the end of the following weekend researchers had already detected hundreds of thousands of attacks being launched around the world.

A commonly-used diagnostic tool for Java applications, Log4J is so ubiquitous that it is included in quite a few major open source software packages. The exploit allows an attacker to open the door simply by sending a string of basic commands, giving a point of entry for lateral movement in a company network via the advanced privileges the app has. The vulnerability has been patched by publisher Apache but requires administrators to upgrade to new versions of the software.

Microsoft’s security team has reported that ransomware attacks are already unfolding after these breaches in at least several cases. It is unknown if the payroll provider had patched out the vulnerability in Log4J prior to its own ransomware attack, but it is likely that some administrators will take weeks to get to it; this could be exacerbated by landing in a Christmas holiday season in which people are starting to take time off from their jobs and companies generally relax their postures until the new year rolls around.

Customers left in a mess, seeking new payroll providers ahead of holidays

Kronos customers are not just out a payroll provider ahead of one of the busiest seasons in several industries (and a common time for distribution of yearly bonuses), but are also left wondering if they lost a variety of sensitive data. Payroll providers have access to both corporate and individual financial information that could easily be used for theft and scams, and ransomware attacks now frequently begin with the exfiltration of data such as this and threats to publish it on the dark web if payments are not made.

As of this writing, Kronos has had no new updates for these customers (other than directing them to other payroll providers). The issue highlights the need for contingency plans for ransomware attacks, something that was clearly inadequate in this case. While that largely falls on Kronos in this case, Nick Tausek (Security Solutions Architect at Swimlane) takes note of some elements that all organizations should be considering in preparation for (highly likely) future ransomware attacks: “To lessen the chance of attacks like this happening in the future, companies should consider implementing one all-encompassing platform that centralizes detection, response and investigation protocols into a single effort and helps security teams automate certain tasks. By leveraging the power of low-code security automation, companies can respond to more alerts in less time, vastly decreasing the risk of a targeted ransomware attack without increasing the workload on security operations staff.”

Amit Shaked, Co-Founder & CEO of Laminar, adds: “Data is no longer a commodity, it’s a currency — as this incident represents. Information within an organization’s network is valuable to both businesses and attackers. With a majority of the world’s data residing in the cloud, it is imperative that organizations become cloud native when thinking about data protection. Solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data resides. Using the dual approach of visibility and protection, data protection teams can know for certain which data stores are valuable targets and ensure proper controls as well as backup and recovery flows are in place.”