Fintech Firm Hit By $5 Million Ransom Demand After Log4j Attack

You are currently viewing Fintech Firm Hit By $5 Million Ransom Demand After Log4j Attack

ONUS, one of the largest cryptocurrency trading platforms, has been struck by an extortion attack brought on by the Log4j exploits. The threat actors behind the plan demanded a $5 Million ransom from ONUS, and threatened to publish customer data should ONUS refuse to comply.

ONUS refused to pay the ransom demands, and threat actors immediately put up data of nearly 2 million ONUS customers for sale on forums.

The Log4j vulnerabilities were leaked on Github on December 9th, and since then threat actors have been mass-scanning the internet for vulnerable servers.

Between December 11th and 13th, threat actors successfully exploited the Log4Shell vulnerability on a Cyclos server of ONUS and planted backdoors for sustained access.

Cyclos provides a range of point-of-sale (POS) and payment software solutions, and like most vendors, was using a vulnerable log4j version in its software.

Although Cyclos did issue an advisory on the 13th and reportedly informed ONUS to patch their systems, it was too late.

Despite ONUS having patched their Cyclos instance, the exposure window allowed sufficient time for threat actors to exfiltrate sensitive databases.

These databases contained nearly 2 million customer records including E-KYC (Know Your Customer) data, personal information, and hashed passwords.

E-KYC workflows used by banks and FinTech companies typically involve procuring some form of identification documents and proofs from the customers, along with a ‘video selfie’ for automated verification.

The Log4j vulnerability existed on a sandbox server “for programming purposes only”, but this was enough for threat actors to access sensitive data storage locations.

When the hackers got a hold of the data, ONUS was then met with a $5 million extortion demand that they refused to meet.

The company chose to disclose the attack to its customers via a private Facebook group.

“As a company that puts safety first, we are committed to providing our customers with transparency and integrity in business operations,” stated ONUS CEO Chien Tran.

“That is why, after careful consideration, the right thing we need to do now is to inform the entire ONUS community about this incident.”


“The hacker took advantage of a vulnerability in a set of libraries on the ONUS system to get into the sandbox server (for programming purposes only),” explains ONUS.

“However, due to a configuration problem, this server contains information that gave bad guys access to our data storage system (Amazon S3) and stole some essential data. This leads to the risk of leaking the personal information of a large number of users.”

The customer information retrieved by threat actors includes:

  • Name
  • Email and Phone number
  • Address
  • KYC information
  • Encrypted password
  • Transaction history
  • And some other encrypted information

CyStack, which provides security services to ONUS, has conducted an investigation and released its findings on the attack.

By December 25th, after failing to secure the extortion amount from ONUS, threat actors put up the customer data for sale on a data breach marketplace.

The threat actors claim to have copies of 395 ONUS database tables with customers’ personal information and hashed passwords in their possession.

“We sincerely apologize and hope for your understanding,” states ONUS.

“This is also an opportunity for us to review ourselves, upgrade and further perfect the system to assure the safety of our users, especially during the transition from VNDC to ONUS.”

CyStack’s recommendations to ONUS included patching the Log4Shell vulnerability in Cyclos–as instructed by the vendor, deactivating leaked AWS credentials, properly configuring AWS access permissions, blocking public access to all sensitive S3 buckets, and imposing additional restrictions.

Protection Against Attacks Like Log4j

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply