On Tuesday 28th of December 2021, ONUS, one of the largest Vietnamese crypto trading platforms announced they suffered a ransomware attack that targeted their payment system. It was discovered that the payment system was running a vulnerable Log4j version that was exploited by threat actors between 11th and 13th of December and resulted in the threat actors installing backdoors on their Cyclos server. The incident resulted in threat actors exfiltrating sensitive databases that contained nearly 2 million customer records including E-KYC (Know Your Customer) data, personal information, and hashed passwords.
A short time after the incident, ONUS was contacted by the threat actors who demanded a $5 million ransom which ONUS declined to comply and then went on to disclose the incident to their customers via a private Facebook group. After the ONUS’s refusal to pay the ransom, threat actors put up data of nearly 2 million ONUS customers for sale on forums.
Soon after the announcement of the incident, the cybersecurity firm CyStack, which provided services to ONUS, investigated the incident and released their findings on the attack mechanics and the backdoor planted by the threat actors. It was discovered that the Log4Shell vulnerability existed on a sandbox server used “for programming purposes only” but allowed attackers further access into ONUS’s Amazon S3 buckets with production data, due to a system misconfiguration.
As well as releasing the investigation’s finding, CyStack also lists recommendations that ONUS should take which included patching the Log4Shell vulnerability in Cyclos–as instructed by the vendor, deactivating leaked AWS credentials, properly configuring AWS access permissions, blocking public access to all sensitive S3 buckets, and imposing additional restrictions.
© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.