Log4j used to hack payment systems: company refuses to pay $5 million

Vietnamese crypto trading platform suffered a cyber-attack due to Log4Shell vulnerability

Customer data was obtained in server hack, but the company refused to pay 5 million dollars, so data was made publicly for sale

One of the largest platforms, ONUS, reported the security incident on its payment system running a flawed version of Log4j. Threat actors managed to hack the system due to the recently reported bug that already managed to affect major companies all over the world.^[1] Not long after the attack, threat actors contacted the company to extort 5 million dollars by blackmailing. These criminals claim to publish the data regarding customers if ONUS refuses to pay up.

Since the company decided to not pay the demanded sum, malicious actors published details of almost 2 million customers. Personal information is now for sale on various forums online. There are various actions that personal customer data can be used later on.^[2] The database that was affected contained E-KYC data that is used by banks, FinTech companies and involves identification documents, proofs from customers like video selfies for the authentification.

The payment software had the vulnerable log4j version, so attackers took advantage of the flaw and managed to access customer data. Once the Log4Shell vulnerability was exploited first, attackers began to scan the internet for any vulnerable servers, so these attacks took off from there.^[3]

Already successfully exploited the vulnerability

Threat actors have been exploiting this flaw on various servers. The Cyclos server of ONUS was hacked between the 11th and 13th of December. Then the attackers managed to drop a backdoor malware^[4] for further access. Cyclos offers various POS and payment solutions, unfortunately, as other vendors used log4j in their software.

As a company that puts safety first, we are committed to providing our customers with transparency and integrity in business operations.

The advisor was released, and the issue was reported. ONUS patched their systems and took all the needed measures, but it was too late since data got obtained already. The exposure allowed attackers to exfiltrate any possibly valuable information from the database. It contained customer records, including Know Your Customer data, personal details, hacked passwords.

System misconfiguration allowed attackers to access customer data from the programing server

The Log4Shell vulnerability was on the sandbox server used for programming purposes only, but attackers managed to get access to particular locations where sensitive data was stored by exploiting the system misconfiguration. The company resisted the payment option and tried to disclose the attack to the customers using the private Facebook group. They informed customers about the incident, and disclosure was posted there.

However, the attack involved a bit more than just the Log4j problem exploitation. It was the entry point for sure and helped attackers to obtain access to the systems at first, but access and control on ONUS Amazon S3 buckets allowed criminals to go further. Attackers exploited the vulnerability and got into the sandbox server where the particular personal information of a large number of users was stored.

Over Christmas, this information was put for sale on the data breach marketplace online since the company refused to pay up. Threat actors managed to obtain copies of various database tables with lists and lists of personal details on customers.

By now these Log4j vulnerabilities have been exploited by various attackers, from state-backed hackers to ransomware creators and other criminals. The flaw should be eliminated once the user upgrades to the latest 2.17.1 version that was recently released.^[5]