Kronos, a widely used multinational workforce management platform, was hit with a serious ransomware attack the second week of December.
Kronos posted in its blog on December 13, 2021, that the ransomware attack disrupted the platform’s Private Cloud services. According to UKG, which is Kronos’ parent company, the service is going to be out “several weeks” and even went as far as to urge customers to evaluate alternative business-related services to affected Kronos solutions.
According to its website, Kronos has more than 40 million people in over 100 countries using its services every day. That includes half of the Fortune 1000. This makes it obvious that the impact of the attack is going to be felt by wide range of companies and employees in both the public and private sectors.
Who is affected by the Kronos Ransomware attack?
(Review our August 2021 webinar on ransomware attacks - Preventing and Responding to Ransomware)
The first effect felt may be employees of companies that use Kronos to track employee’s hours and payroll information. It’s unclear still how many companies are impacted, and we know that they will continue to be affected for several weeks, at least.
The immediate impact is on payroll and paying employees. Several companies may turn to issuing paper checks to ensure people get paid on time, especially ahead of the holidays.
One of the more concerning issues, as in most attacks, is data breach. The City of Cleveland, where Kronos has a location, has already reported that information such as employee names, addresses, employee IDs and last four digits of Social Security numbers may have been compromised.
Another affect, both short and long term, is scheduling. Shannon Medical Center in San Angelo, Texas is one of many Kronos healthcare clients that has been impacted by this. Shannon Medical Center uses Kronos for timekeeping as well as scheduling. Shannon Medical Center, along with other hospitals, public safety services such as fire stations and local governments and municipalities, and transportation authorities, also use Kronos as a provider for those services where there could be an immediate impact felt for public safety, in addition to data exfiltration.
Availability of services, disruptions in operations for businesses, healthcare providers, especially during COVID-19 surges, are also of major concern.
Some of the larger clients and employees that are affected by the attack, in addition to the City of Cleveland and Shannon Medical Center include: New York’s Metropolitan Transportation Authority, Oregon Department of Transportation, Hawaii’s Board of Water Supply and Emergency Medical Services, the University of Utah, George Washington University, Winthrop University Hospital, Clemson University, as well as companies like Tesla, Whole Foods, Staples, Puma, and more.
Is the Log4j vulnerability involved in this attack?
It is not yet clear how Kronos’ systems were attacked. The Log4j vulnerability was discovered at the end of November. The two issues haven’t been connected yet, but they also aren’t ruled out.
The Log4j vulnerability is a flaw in a ubiquitous open-source library called Log4j which can be found in many applications coded in the programming language, Java, that is used widely across the internet. Web apps and services worldwide were exposed to RCE exploits which allow a remote hacker to take over a device or system running the software using that language.
UKG stated that it was aware of the vulnerability and put controls in place to detect attempts.
What is next?
Companies have already taken the steps to alternative methods to track time, schedules, and issue paychecks, including doing so offline.
UKG has also urged customers of the service to evaluate alternative protocols related to the affected services.
There are important steps you need to take to protect and mitigate against ransomware attacks:
- Changing passwords is a smart and safe step to protect from any information that might have been breached in this attack
- Conduct ongoing cyber-training for your personnel and practice good cyber hygiene techniques
- Have a clear understanding of your cyber posture
- Have a cyber incident response plan ready
Given that it will take several weeks, according to Kronos, to restore the service, it will likely take even longer to find the full impact of the attack, especially if it is found to be related to the Log4j vulnerability.
In addition to protecting critical infrastructures from being attacked and public safety services being compromised, ransomware attacks on companies such as Kronos leave them vulnerable to lawsuits from. This is why organizations should put a premium on increased cyber posture and well as network monitoring to detect when unusual activity happens and be prepared to investigate and mitigate the results of that activity.