It was a crazy weekend for cyber-attacks. People seem surprised, but those of us in the industry aren’t surprised one bit. It is very logical and foreseeable that hackers are leveraging attacks that have maximum disruption on multiple victims, including third-party vendors and their customers. It is a “one-stop shop” strategy that is used every day in the business world, so why not for organized criminal cyber-attackers?
Here’s an update on the Apache and Kronos situations, which have not yet been confirmed as related, but frankly, the timing does seem more than coincidental. Whether related or not, both are worthy of mention in this week’s Insider.
The log4Shell vulnerability, discovered by the Alibaba Cloud Security Team and disclosed by Kronos on December 9, 2021, has affected multiple versions of the Apache log4j 2 utility. The vulnerability (CVE-2021-44228, CVSS v. 10.0) affects Apache log4j 2 versions 2.0 and 2.14.1. According to Randori, “the vulnerability allows threat actors to execute unauthenticated remote code execution,” which means that “any scenario that allows a remote connection to supply arbitrary data that is written to log files by an application utilizing the Log4j library is susceptible to exploitation. This vulnerability is being exploited in the wild and thousands of organizations are impacted. This vulnerability poses a significant and active real world risk to affected systems—PLEASE TAKE IMMEDIATE ACTION.”
A second vulnerability was discovered on December 14, 2021. According to Unit 42 of Palo Alto Networks, exploitation of the vulnerability “was incredibly easy to perform” and “massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems. We highly recommend that organizations upgrade to the latest version (2.16.0) of Apache log4j for all systems” which will also patch the vulnerability found on December 14, 2021.
According to the Cybersecurity and Infrastructure Security Agency’s (CISA) alert on December 15, 2021: “Apache has released a security update to address a second severe vulnerability affecting its Log4j software library, which a remote attacker could exploit to cause a denial-of-service condition…. Affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to protect against both vulnerabilities. Log4j is broadly used in a variety of consumer and enterprise services, websites, applications and operational technology products to log security and performance information….It is noted that this second vulnerability could cause a ‘denial-of-service’ condition. A cyber-attack that interrupts or shuts down mission-critical medical technology could cause delays in health care delivery and risk patient safety. Thus, we strongly advise the field to expeditiously implement this second patch, and we urge the government to take immediate countermeasures against any cyber actor and their infrastructure identified as attempting to exploit these vulnerabilities.”
The bottom line right now is to patch as quickly as possible if you have not already done so and hope you have not already been compromised.
Kronos started notifying its customers over the weekend that it was the victim of a ransomware incident affecting the Kronos Private Cloud products Workforce Central, TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. Kronos has not confirmed whether the incident is related to the Apache log4j zeroday vulnerability. Kronos has advised its customers that it may take several weeks to resolve and that customers should implement alternative business continuity protocols since the products might not be able to be used for several weeks. For many companies, this means time entry and payroll services may be disrupted. It is reported that many brand name companies are being affected by the attack on Kronos, and the American Hospital Association has stated that hospitals and health systems have been affected, which is particularly difficult with the spike in Omicron COVID-19 cases in the United States.
Each customer will have to determine how to implement alternative business continuity protocols to function without the Kronos services, and what data may have been compromised in the attack, but at this point, without more information, it is a waiting game to find out what happened and what was compromised. These incidents take time to investigate and resolve. Kronos has provided a web page of updates.
One thing we can do now is to develop backup and contingency plans around critical third-party vendors–especially in this day and age of catastrophic cyber-attacks. It’s one thing to complete a tabletop simulation for your own company, but it’s just as important to simulate how you would function without the services of a critical third-party vendor.