Crypto Platform Suffers Log4j-Related Ransomware AttackChinese APT Also Linked to Attempted Log4j Attack on Academic Institution
ONUS, one of Vietnam's largest cryptocurrency platforms, has reportedly fallen victim to a ransomware attack that has been traced to Apache's remote code execution vulnerability, Log4j, via third-party payment software.
ONUS, a cryptocurrency investment application first launched in March 2020 on both Android and iOS, posted to its site on Friday that its system had been "compromised as a result of a large-scale cyberattack." ONUS administrators say a "third party was able to gain unauthorized access to and steal certain critical ONUS data."
Vietnamese cybersecurity firm CyStack, which partners with ONUS and was involved with the investigation, said in a post to its site on Tuesday that the security incident "started with a Log4Shell vulnerability in their payment software provided by Cyclos."
A spokesperson for Cyclos tells Information Security Media Group that the vendor was "quite shocked and disappointed by this event" and has been in contact with ONUS' security partner, CyStack.
And, in addition to confirming details of the incident, Trung Nguyen, CEO of CyStack, tells ISMG, "We are working with Cyclos to provide them with details of the vulnerability we found after the attack."
ONUS did not immediately respond to Information Security Media Group's request for comment.
The news comes as security experts continue to warn that the Apache remote code execution flaw is present in millions, or hundreds of millions, of devices worldwide. Disclosure of the flaw, first reported Dec. 9, sent security teams scrambling to identify vulnerable devices, with patches from the nonprofit pushed out semi-regularly thereafter.
'Misconfigurations and Mistakes'
CyStack security researchers Trung Nguyen, Son Nguyen, Chau Ha, Chau Nguyen, Khoi Vu and Duong Tran say that the incident was "escalated" due to "misconfigurations and mistakes in granting permissions at AWS S3 [Amazon Web Service - Simple Storage Service, a cloud storage offering]."
The CyStack researchers say, "Attackers took advantage of the vulnerability in the Cyclos software to attack even before the vendor could inform and provide patch instructions for its clients." The firm says ONUS patched the vulnerability when it was warned, but that the attackers had likely already infiltrated the system. The security unit says some 2 million ONUS users then had information leaked - including name, email and phone number, address, E-KYC [Know Your Customer] data, hashed passwords, transaction history and "other encrypted information."
In its alert, ONUS says threat actors "took advantage of a vulnerability in a set of libraries on [its] system to get into the sandbox server (for programming purposes only). However, due to a configuration problem, this server contains information that gave bad guys access to our data storage system and stole some essential data."
ONUS administrators clarify, however, that the cyberattack "did not affect any assets on ONUS."
Following the breach, ONUS says it has upgraded its asset management and storage system - to ONUS Custody v2.0. The platform also urged users to change their application passwords.
"We sincerely apologize and hope for your understanding. This is also an opportunity for us to review ourselves, upgrade and further protect the system [and] to assure the safety of our users," ONUS administrators say in their advisory.
"The attack on ONUS shows how quickly threat actors were able to weaponize the vulnerability," Davis McCarthy, a principal security researcher at the firm Valtix, tells ISMG. "Successful exploitation of Log4j happened two days after the vulnerability was published. It took ONUS five days to patch the vulnerability. It's [also] likely that other organizations will experience breaches related to Log4j, as initial access brokers slowly sell their goods to other cybercriminals."
In their report, CyStack lays out the following timeline:
- Dec. 9: Log4j vulnerability is published; platform reportedly is unaware that Cyclos was among the software affected by the Apache flaw;
- Dec. 11-13: Attackers exploit Log4j vulnerability on Cyclos server for ONUS, leaving backdoors;
- Dec. 14: Cyclos notifies ONUS of the vulnerability and issues instructions to patch, which it does;
- Dec. 23: Security unit detects "abnormal activities" and informs ONUS; ONUS confirms user data in AWS S3 had been deleted; CyStack implements incident response protocols;
- Dec. 24: Attackers send a ransom request of $5 million to ONUS via Telegram; ONUS reportedly rejects the request and discloses the attack to users. CyStack continues checking Cyclos nodes to detect/remove backdoors;
- Dec. 25: Attackers reportedly leak data on hacking forum and claim to have copies of ONUS database tables.
In their report, the researchers say: "The most serious mistake of ONUS is that ONUS granted the AmazonS3FullAccess permission to the access key which allowed attackers to compromise and easily delete all of the S3 buckets."
To facilitate access, the firm continues, the attackers downloaded and ran a backdoor on the server - called kworker - to disguise itself as the Linux operating system's kworker service.
CyStack says: "The backdoor might have been created by the attackers themselves for this particular attack, based on the go-socks5 library."
Researchers say the attackers' IP addresses are likely from "VPN service providers," although "the attackers appear to be Vietnamese."
'Can't Necessarily Be Aware'
Some security experts say the ONUS attack underscores the urgency with which practitioners need to approach Log4j.
"What adds to the complexity and risk of Log4j is proven within this incident: You are generally aware if your Exchange server is out of date, but you can't necessarily be aware that your payment gateway is vulnerable to Log4j issues until they announce it, you test it, or are attacked," says Matthew Warner, CTO and co-founder of the security firm Blumira.
He says, "Cryptocurrency platforms are a highly sought-after target because of the inherent value involved. … Organizations must engage all vendors, especially ones that are internet- or user-facing, and determine if they are vulnerable to Log4j CVEs and patch or mitigate through blocking accordingly."
China-Linked APT Activity
Security firm CrowdStrike on Wednesday reported that a China-linked espionage group, tracked as AQUATIC PANDA, has attempted to leverage the Apache flaw in VMware's Horizon Tomcat web server service. CrowdStrike's threat hunting unit, Falcon Overwatch, says it denied an attempted attack on "a large academic institution."
VMware first issued guidance around its Horizon service, which was found to be vulnerable to Log4j, on Dec.14, prompting OverWatch to investigate its usage, the post reads.
The unit says the threat actor executed Linux commands on a Windows host - drawing the attention of OverWatch, which then alerted the victim organization. The researchers say the actors used a modified version of the Log4j exploit, and that AQUATIC PANDA - whose dual mission is intelligence collection and industrial espionage - continued reconnaissance and "malicious behavior" to retrieve malware and attempted to harvest credentials using "live off the land" tactics.
OverWatch says the unnamed victim organization was "able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat-actor activity on the host."
And on Tuesday, another Log4j patch was released by the Apache Software Foundation, the nonprofit that supports Apache's open-source software projects. Its Log4j version 2.17.1 fixes a newly disclosed remote code execution vulnerability tracked as CVE-2021-44832, which carries a "moderate" CVSS score of 6.6 (see: Apache's Log4j Version 2.17.1 Addresses New Flaw).
This story has been updated to include a statement from CyStack CEO Trung Nguyen.