Preface: In October 2020, two of the largest human resources (HR) technology vendors out there—Kronos and Ultimate Software—merged into UKG (Ultimate Kronos Group). Together, the two companies now bring customers more than 70 combined years of experience in the industry.
Background: Kronos’ system integration capabilities has compatibility because it accept CSV format of file as import data source. The integration is done via a comma delimited flat file (CSV) with Windows format. The file will be delivered to Kronos server daily via SFTP. Can a CSV contain malicious code? It first parses and processes the formula which begin with “=” before displaying any content to the user. The formula injected in the CSV might contain call to any system function or it may contain any malicious payload which can exploit the victim’s system. So, the answer is possible. But malicious code that is not executed automatically, it require social engineering to execute the action.
If Kronos Workforce central is installed on top of cloud. And victim workstation contained the shared drive of workforce central server. When malicious code trigger the CSV through social engineering and download the ransomware payload. As a result, it can conducting the action, lock all the files.
So if Kronos hit by ransomware, most likely it is a insider threat. An insider threat is defined as the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the cloud system.
Details of attack: Headline news – Warns Cyberattack May Knock HR Software Offline for Weeks , Kronos hasn’t said whether the attack is related to the Log4Shell vulnerability discovered this past weekend. For more details, please refer to the link https://www.bloomberg.com/news/articles/2021-12-14/kronos-warns-cyberattack-may-knock-hr-software-offline-for-weeks