ShinyHunters Attack National Credit Information Center of Vietnam

Vietnam’s National Credit Information Center (CIC) was hit by a ShinyHunters cyberattack, with VNCERT confirming signs of unauthorized access to steal personal data.

Authorities are investigating a cyber-attack against National Credit Information Center (CIC) of Vietnam by ShinyHunters. As confirmed by the Vietnam Cyber Emergency Response Team (VNCERT), signs of unauthorised access aimed at stealing personal data have been identified.

Resecurity’s HUNTER team was able to acquire samples of leaked data. Notably, multiple records include references to the leading financial institutions in Vietnam including but not limited to VietCredit, MB Bank, Ocean Bank, VPBank, Sacombank (Saigon Thuong Tin Commercial Joint Stock Bank), Agribank (Vietnam Bank for Agriculture and Rural Development).

ShinyHunters claimed to exploit an “n-day” vulnerability (a known but unpatched flaw) in end-of-life software used by the CIC. Because the software was no longer supported, no security patches were available, leaving the system especially vulnerable. Unlike many ransomware attacks, ShinyHunters did not attempt to extort the CIC. Instead, they listed the data for sale on a hacking forum on the Dark Web, providing a large sample as proof.

ShinyHunters is one of the most prolific and notorious cybercriminal groups of the past five years, responsible for a series of high-profile data breaches that have impacted hundreds of millions of users and some of the world’s largest organizations—including the compromise of Microsoft’s GitHub account, AT&T, Ticketmaster, Santander, MathWay, Tokopedia, Wishbone, Wattpad, Pluto TV, Bonobos, Aditya Birla Fashion and Retail, Mashable, and the Legal Aid Agency (U.K. Ministry of Justice). Their operations have evolved from large-scale database thefts to sophisticated social engineering and cloud platform attacks.

The CIC’s role as a centralized repository for Vietnam’s credit data made it a particularly attractive target, as breaching it exposed a single point of failure affecting nearly the entire population. According to cybersecurity experts, such incidents can have cascading effects, including increased risk of identity theft, financial fraud, and systemic instability.

Law enforcement and data protection regulators launched an official investigation to determine the full extent of the breach. The Department of Cybersecurity of Vietnam, along with major state-owned technology partners such as Viettel, VNPT, and NCS, was mobilized to assess the scope of the incident and to identify the vulnerabilities exploited by the attackers. The national cyberresponse team was also activated to take emergency measures and to coordinate the response.

According to Vietnam News, VNCERT has issued a strict warning to all individuals and organizations, urging them not to download, share, or exploit any leaked data. Violations will be handled in accordance with Vietnam’s data protection and cybersecurity laws. Unfortunately, it cannot prevent cybercriminals from such activity, as the data has already been leaked and become available.

Yesterday, the State Bank of Vietnam (SBV) issued a statement to reassure clients following a data breach at the National Credit Information Centre (CIC). SBV confirmed that CIC is one of four organizations authorized to provide credit information services in Vietnam, and the credit data it collects does not include bank account numbers, account balances, savings books, payment accounts, debit or credit card numbers, CVV/CVC codes, or clients’ transaction histories.

Unfortunately, other types of PII are likely to be impacted by the breach and could still be used by fraudsters including contact information, payment identifiers and references to local financial institutions. In its statement, the central bank emphasized that commercial banks’ IT systems continue to operate safely and stably, ensuring the protection of clients’ assets and information. It also regularly directs financial institutions to strengthen security measures, comply with legal regulations on IT safety, and safeguard customers’ rights.

According to Reuters, investment bank JPMorgan said in a note to investors on Friday the incident could lead to higher costs for banks to improve cybersecurity and was a potential risk to deposit flows, but maintained its recommendation to stay invested in Vietnamese banks “barring a widespread impact or further incidents”.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShinyHunters)