ONUS, the Vietnamese crypto trading platform, recently experienced an attack stemming from the Log4j vulnerability (CVE-2021-44228). ONUS allows users to trade crypto currencies through their app which is available for iOS and Android. The organization has grown significantly in the past 18 months since the app’s launch in March of 2020, with a large portion of users in Vietnam, Nigeria, and the Philippines.
Financial organizations and crypto platforms in particular are juicy targets for attackers who are looking to lift personal information, payment information, and monetary sums, all of which are present in a typical crypto company’s data stores. ONUS is no different as the Log4j exploit allowed attackers to access stored information about the organization’s customers.
The vulnerability existed in the point-of-sale (POS) solution used by ONUS and the attackers were able to get into servers and create a backdoor for extended access to electronic Know Your Customer (e KYC) information which includes identification documents, customer video selfies, among other information to authenticate customers.
CyStack, the vendor for the POS solution Cyclos used by ONUS, acknowledged that the Log4j vulnerability was the entry point for the attacks. Upon further analysis CyStack determined that attackers leveraged misconfigurations and permissions in ONUS’ AWS S3 buckets to access and exfiltrate the information.
The attackers were able to make off with the data before an update patching the Log4j vulnerability was available and demanded $5 million in ransom for the stolen information. The Log4j exploit has been used in the wild to install malware, use remote machines for crypto mining, and deploy ransomware binaries.
The attackers waited until 25 December 2021 for payment from ONUS, and when they did not receive the ransom, the attackers put the information of close to 2 million customers up for sale. The data was listed on the Raid forum and includes personal information and hashed passwords. This data also includes e KYC information which is comprised of Identification Cards, Passports, and video selfies of users for authentication purposes.
CyStack did ultimately make recommendations for ONUS to help prevent these vulnerabilities from being exploited in the future. These recommendations include:
- Patching the Log4j vulnerability in Cyclos using the vendor’s instructions.
- Deactivating all of the leaked credentials for the AWS S3 buckets.
- Configuring permissions to secure access to AWS S3 buckets.
- Blocking public access to S3 buckets and requiring tokens for access to sensitive objects.
The Log4j vulnerability has been extensively exploited since its discovery in late 2021. Organizations and vendors are scrambling to create and implement patches for this zero-day that allows for remote code execution. The Log4j vulnerability received a CVSS score of 10, meaning it is a critical risk. Common Vulnerability Scoring System (CVSS) is used to rate vulnerabilities so cyber security professionals can prioritize their patching efforts.
A rating of 10 puts remediation of this vulnerability at the top of your security priority list. Updating to the Log4j version 2.17 and will aid in the remediation process. Based on statistics by Snyk, 60.8% of Java projects rely on Log4j indirectly, which means even if your organization is not using software that directly relies on Log4j there are dependencies that could indirectly affect your security posture. 
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
 ONUS Trading Platform From: Lưu Quý/ VnExpress