[MART] - Daily Diary #421 - Crypto Trading Company Breached Via Log4j Flaw

CTAS-MAT ctas-mat at appgate.com
Wed Dec 29 21:12:34 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

12/29/2021 - Diary entry #421:

ONUS, a Vietnamese crypto trading company suffered a recent cyberattack on a Cyclos server running a vulnerable Log4j version. Cyclos provides point-of-sale (POS) and payment software solutions. The attack led to the exfiltration of databases containing nearly 2 million customer records.

Threat actors leveraged, between December 11 and December 13, the Log4j RCE vulnerability to get into an ONUS sandbox server used for programming purposes. Due to a misconfiguration, that server had access to ONUS data storage system (Amazon S3 bucket) allowing the threat actors to steal a large number of customers' sensitive data such as KYC (Know Your Customer) data, personal information, and hashed passwords.

After the attack, threat actors demanded a $5 million extortion payment to not publish the data. Since ONUS didn't pay the money, the threat actors put the customer data for sale on the popular data breach marketplace RaidForums, including several samples of the stolen data.

In this case, a resource (S3 bucket) wasn't supposed to be available to a sandbox server, which led to the data leak. To be protected against this kind of attack we highly recommend adopting a ZeroTrust architecture, isolating systems, and segmenting networks. As Log4J vulnerabilities are getting a lot of attention, we also recommend anyone hosting Java servers to perform pentests in their systems, locating any service that might be vulnerable.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211229/cc075e26/attachment.htm>

More information about the MART mailing list