Cyber Incident Victim: ONUS
Date:
Dec 2021
Location:
Viet Nam
Summary
A Vietnamese cryptocurrency trading platform suffered a cyberattack exploiting the Log4Shell vulnerability in its payment system's Cyclos server, shortly after the exploit became publicly available. Attackers gained initial access through a misconfigured sandbox environment, then leveraged improper Amazon S3 bucket permissions to exfiltrate sensitive databases containing nearly 2 million customer records—including personal identification details, KYC documentation, transaction histories, and encrypted credentials. Following the victim's refusal to pay a $5 million ransom demand, threat actors publicly listed the stolen data for sale, exposing samples of customer ID documents and biometric verification materials. The breach stemmed from both unpatched Log4j software and inadequate cloud storage access controls, with attackers maintaining persistent access despite subsequent remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ONUS incident began with the public release of a Proof-of-Concept (PoC) exploit for the Log4Shell vulnerability (CVE-2021-44228) on December 9, 2021. Threat actors rapidly initiated mass scanning campaigns targeting internet-exposed systems running vulnerable Log4j versions. Between December 11 and 13, attackers successfully exploited this vulnerability in ONUS's Cyclos payment platform server, establishing persistent access through implanted backdoors. Although Cyclos issued a security advisory on December 13 urging immediate patching and reportedly notified ONUS, remediation efforts occurred too late to prevent data exfiltration. The compromised server—a sandbox environment designated for programming purposes—contained misconfigured access credentials that allowed threat actors to escalate privileges into production Amazon S3 storage buckets. This configuration error enabled unauthorized retrieval of sensitive databases containing records for approximately 2 million customers.
Attackers subsequently demanded a $5 million ransom from ONUS, threatening public data disclosure. The company refused payment, prompting threat actors to list the stolen datasets for sale on cybercrime forums by December 25. Exfiltrated information included full names, contact details, residential addresses, transaction histories, encrypted passwords, and extensive Know-Your-Customer (KYC) documentation such as ID card images, passport scans, and verification video clips. ONUS disclosed the breach through a private Facebook group communication, acknowledging both the Log4j exploitation and S3 misconfiguration while emphasizing operational transparency. Cybersecurity firm CyStack conducted a forensic investigation confirming the attack vector, identifying the implanted backdoors, and recommending immediate mitigation measures including Log4j patching, AWS credential rotation, S3 bucket access restriction, and permission hardening. The incident exposed systemic vulnerabilities in ONUS's development-to-production environment segregation and access control protocols during its platform migration phase.