ONUS Compromised from Log4Shell

Industry: Technology | Level: Tactical | Source: Cystack

Compromise of ONUS, a cryptocurrency platform in Vietnam was reported by CyStack as the company's payment software from "Cyclos" was vulnerable to CVE-2021-44228/Log4Shell. Insecure misconfigurations with the company's AWS S3 buckets escalated the attack. Details of the attack involve using Log4Shell payloads to establish a malicious connection, read file "cyclos.properties" containing AWS credentials led attackers to capitalize on the ONUS misconfigurations of granting "AmazonS3FullAccess permission to the access key which allowed attackers to compromise and easily delete all of the S3 buckets. Also on these servers, ONUS had a script to periodically back up the database to S3 which contained the database hostname and username/password as well as backup SQL files. As a consequence, the attackers could access the ONUS database to get user information." They also downloaded a backdoor on the server disguised as the Linux operating system’s kworker service that tunneled a connection to the attacker's C2 server using SSH. The impact of the attack involves the compromise of 2 million ONUS, information that includes EKYC and personal data, and password hashes being leaked.

• Anvilogic Use Cases:
• Potential CVE-2021-44228 – Log4Shell
• AWS S3 Bucket Manipulation
• SSH Pivoting