As Log4Shell wreaks havoc, payroll service reports ransomware attack

  News
image_pdfimage_print
As Log4Shell wreaks havoc, payroll service reports ransomware attack
Getty Images

As the world is beset by Log4Shell, arguably the most severe vulnerability ever, one of the biggest human resources solutions providers is reporting a ransomware attack that has taken its systems offline, possibly for the next several weeks. So far, the company isn’t saying if that critical vulnerability was the means hackers used to breach the systems.

The company said on Sunday that services using the Kronos Private Cloud had been unavailable for the past day, with the attack taking down Kronos’ UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions services.

“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” Kronos representative Leo Daley wrote. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”

Ten hours after that advisory, Daley published an update reporting that the cause of the outage was ransomware and that it “may take up to several weeks to restore system availability.”

“We deeply regret the impact this is having on you, and we are continuing to take all appropriate actions to remediate the situation,” the Kronos representative wrote. “We recognize the seriousness of this issue and will provide another update within the next 24 hours.”

Neither advisory made any mention of the method the ransomware attackers used to breach the Kronos infrastructure. A banner notice at the top of each post, however, stated:

We are aware of the log4j vulnerability reported as CVE-2021-44228. We have preventative controls in our environments to detect and prevent exploitation attempts. We have invoked emergency patching processes to identify and upgrade impacted versions of log4j. We are aware of the widespread usage of log4j in the software industry and are actively monitoring our software supply chain for any advisories of 3rd party software that may be impacted by this vulnerability.

Kronos representatives responding to an email declined to say if a Log4Shell exploit against its systems was the cause of the initial compromise. It wouldn’t be a stretch, though, for that to be the case. Kronos cloud services rely heavily on Java, the software framework that Log4J is based on. The Log4Shell vulnerability, which gives hackers the ability to execute malicious code with elevated system privileges, is trivial to exploit. Often, attacks can come from users visiting a page with a browser that includes plaintext commands in the user agent.

Kronos said it had retained cybersecurity experts and has notified authorities. It said customers’ on-premises services aren’t affected.

Separately, the IT arm of the Virginia state legislature reported suffering a ransomware attack that occurred on late Friday, the Associated press reported. The Legislative Automated Systems in 2019 purchased Java licenses, an indication that the IT group uses the software framework. While it’s unknown what the vector was for the breach, both its timing and the use of Java are consistent with the possibility Log4Shell played a key role.

This post will be updated with any new information that comes to light.

Post updated to add detail about Virginia legislature ransomware attack.

https://arstechnica.com/?p=1820202