Ransomware, Threat Intelligence, Threat Management

Ransomware attack takes down Kronos Private Cloud for several weeks

An aerial view of Tesla Shanghai Gigafactory on March 29, 2021, in Shanghai, China. Kronos, a popular HR platform used by Tesla and many other companies, was hit with a ransomware attack. (Photo by Xiaolu Chu/Getty Images)

The Kronos Private Cloud (KPC), a popular HR platform used by Tesla and many other companies, was hit with a ransomware attack over the weekend, prompting parent company UKG to tell its customers that the service may take several weeks to restore — a grim prospect with so many companies short-staffed because of the holidays.

UKG, which resulted from the merger of Kronos and Ultimate Software last year, advised its customers to implement an alternative business continuity protocol in the interim.

Company officials promised another update in the next 24 hours and said the incident only affects the Kronos Private Cloud, the portion of its business that includes UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions. UKG said as of today, there was no impact to UKG Pro, UKG Ready, UKG Dimensions or any other UKG products that are not housed in the Kronos Private Cloud.

Along with Tesla, numerous public and private sector organizations reportedly use the Kronos Private Cloud, including the city of Cleveland, Clemson University and Temple University.   

The timing of this attack, so close to the Christmas and other seasonal holidays and the end of the year, will put significant pressure on organizations that have been using the impacted Kronos Private Cloud services to manage payroll and other time-sensitive functions within their organizations,” said Erich Kron, security awareness advocate at KnowBe4. Kron said the estimated outage time of several weeks will likely have a significant impact on organizations as they try to close the year while managing not only basic payroll, but also the bonuses and other annual calculations that need to take place.

Ransomware gangs often time attacks for when organizations are short-staffed due to holidays, or when they are extremely busy, with the hope that the attack will take longer to spot and response times will be much slower,” Kron said. “In addition, the pressure to service customers during these crucial times can be very high, making it more likely that the victim will pay the ransom in an effort to get operations back up and running quickly. This attack drives home the need to not only have, but also to practice, disaster recovery and continuity of operations plans that can be enacted quickly and efficiently.”

Ben Pick, principal consultant at nVisium, theorized that this ransomware may have been the result of a targeted phishing attack or a zero-day vulnerability, such as the recently disclosed log4j2 vulnerability. Pick said either method would have been difficult to detect and prevent because of the upcoming holidays as fewer employees are present, as well as the large size of the Kronos enterprise.

“While training may help alleviate some of the risk of becoming a victim of a phishing attack, the increased workloads around this time of year spread over fewer people leaves severe gaps in enforcing strong security behaviors,” Pick said. “At this time, the scope of the compromise is unknown, as is whether the data was exfiltrated after being encrypted. Those factors would greatly impact the total downtime and Kronos has not stated when services are likely to return.”

John Bambenek, principal threat researcher at Netenrich, said small and large businesses alike are increasingly outsourcing critical business functions to service providers — and HR functions are no exception.

“This means when those organizations go down, the impact is felt through hundreds or thousands of other companies,” Bambenek explained. “While these attacks are highly public, ransomware attacks are going after victims all of the time and many victims may never be known."

Anurag Gurtu, CPO of StrikeReady, added that unfortunately, all Kronos customers using private clouds are facing this issue and they have to find alternative business continuity protocols to replace the impacted UKG solutions. These customers have no idea whether their data has been compromised or lost because there are no details available. Gurtu said these customers are struggling to initiate risk and communication processes at their end due to lack of information shared by UKG.

"As of now, all UKG Kronos Cloud customers should block and disable all ADFS and LDAP connections to Kronos Cloud and flag it as an untrusted entity," Gurtu concluded.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.