3rd Party Risk Management , Cloud Security , Cybercrime

HR Platform UKG Says Cloud Solutions Hit With Ransomware

Ultimate Kronos Group Estimates Service Restoration Could Take Weeks
HR Platform UKG Says Cloud Solutions Hit With Ransomware
(Photo: Pete Linforth via Pixabay)

Stay tuned for updates on this developing story.

See Also: Take Inventory of Your Medical Device Security Risks

Ultimate Kronos Group, or UKG, a U.S.-based multinational firm that provides workforce management and human resource management services, says that its private cloud service has fallen victim to a ransomware attack, according to posts on UKG's customer support feed. An executive with the company says service restoration may take "several weeks."

The incident, which is affecting Kronos Private Cloud, was first detected Saturday, and subsequently disrupted several of its solutions, including UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions.

UKG, which is the product of a merger between Ultimate Software and Kronos Inc. completed in 2020, says any of the aforementioned solutions deployed in on-premises environments are not affected, and there is no impact to the solutions UKG Pro, UKG Dimensions, or UKG Ready.

A spokesperson for UKG tells Information Security Media Group, "UKG recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud, which houses solutions used by a limited number of our customers. We took immediate action to investigate and mitigate the issue, have alerted our affected customers and informed the authorities, and are working with leading cybersecurity experts.

"We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services."

Weeks to Recover?

A UKG executive also took to its forum to update customers and outline the company's recovery efforts.

"Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business continuity protocols related to the affected UKG solutions," UKG Executive Vice President Bob Hughes says. "We deeply regret the impact this is having on you, and we are continuing to take all appropriate actions to remediate the situation."

Hughes notes in the post that solutions not affected by the ransomware attack "are housed in separate environments."

Similarly, in a post to its website authored by UKG representative Leo Daley, the company recommends that affected customers "evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization."

The UKG site lists recognizable brands such as Tesla, Marriott, Yamaha, Aramark, Feeding America, Revlon and others, among its clients. It is unclear, however, which enterprises have been affected by the cloud service outage.

New York's Metropolitan Transportation Authority, or MTA, which is responsible for public transportation in the New York City metropolitan area, confirmed on Monday that its timekeeping system went dark after the UKG ransomware attack, according to the New York Post.

(Source: Ultimate Kronos Group)

Severe Vulnerability

Speaking with ISMG, the UKG spokesperson did not comment on the attack vector, attribution, or whether the compromise was related to the recently uncovered Apache Log4j vulnerability, which allows for arbitrary remote code execution and potentially full server takeover (see: Severe Apache Log4j Vulnerability Threatens Enterprise Apps).

On its website, however, UKG relays the following alert:

  • "Please note: We are aware of the Log4j vulnerability reported as CVE-2021-44228;
  • We have preventative controls in our environments to detect and prevent exploitation attempts;
  • We have invoked emergency patching processes to identify and upgrade impacted versions of Log4j;
  • We are aware of the widespread usage of Log4j in the software industry, and are actively monitoring our software supply chain for any advisories of third-party software that may be impacted by this vulnerability."

'Wide-Ranging Impact'

Some security experts say the attack is having broad and immediate effects.

Allan Liska, an intelligence analyst at the firm Recorded Future, tweeted: "This Kronos/Telestaff ransomware attack is having a wide-ranging impact. I've received several complaints from several companies that can’t process payroll."

"The timing of this attack, so close to the Christmas and other seasonal holidays and the end of the year, is bound to put significant pressure on organizations that have been using the impacted KPC services to manage payroll and other time-sensitive functions within their organization," says Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center.

Kron, who is currently a security awareness advocate at the firm KnowBe4, adds, "Ransomware gangs often time attacks to take place when organizations are short-staffed due to holidays, or when they are extremely busy, with the hope that the attack will take longer to spot and response times will be much slower. … This attack drives home the need to not only have, but also to practice, disaster recovery and continuity of operations plans that can be enacted quickly and efficiently."


About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.