The widespread exploitation of a vulnerability in Apache’s Log4j software library was announced by cybersecurity professionals on December 9, 2021 (see Apache Announcement and CISA Apache Log4j Vulnerability Guidance).  This vulnerability allows hackers to access Apache Server log files, add their own code, and take control of a system.  Servers, including those operated by Apple, Twitter, Valve, Tencent, and other major service providers were potentially at risk. 

By the time companies took action to determine if they were affected, Ultimate Kronos Group (UKG), “one of the world’s largest cloud companies,” had been compromised.  UKG is best known for its Kronos timekeeping services, which interfaces with payroll systems and provide rostering and shift management services to companies employing millions of people across the globe.

UKG quickly and responsibly alerted its customers and advised them to deploy alternative business continuity protocols, or in other words, to prepare for impact.  Unfortunately, those impacts have already started even though the incident is only a matter of days old.  The response from some companies could be characterized as “what disaster preparedness plan?  I thought that was your responsibility!”

Risk vs Reward

Cloud providers are not the “be-all and end-all” safety net for companies.  While they provide a degree of resilience, they also create risk.  Cloud-based systems provide accessibility should a disaster occur at your company’s physical location, but if the cloud provider is compromised, what is your backup?  Most people overlook this critical component. UKG was not attacked directly as might be expected in a cyberattack; rather, their Kronos software was attacked, exposing customers who use the timekeeping service to significant risk.  

What Happens Next

It’s still too early to determine the scale of this attack, but a relatively large domino effect is likely.  Workers are already unable to clock their time, delaying their pay.  Billing practices have been interrupted.  Hospitals, first responders, retail organizations, and others that rely on UKG for scheduling may have to resort to manual processes.  Safety and compliance issues may emerge, and already burdensome supply chain interruptions may worsen.

Review Your System Carefully Today

Now is the time to apply software patches if you haven’t already done so.  Make sure your virus scanning software is up-to-date, check any applications that may be running on Apache servers, and ensure your partners and clients have been advised of the situation.  Are you aware of their vulnerabilities and disaster response protocols?  Most business continuity plans assume an outage can be restored rather quickly, contrary to a prolonged data encryption hostage scenario. 

This latest breach illustrates that moving data to the cloud is not foolproof.  While having a cloud-based plan for server interruptions is a good strategy, plans are also needed when cloud-based servers aren’t available.  If it is time to update your Business Continuity Plan, ReadyGlobal is ready now to assist you.