Pierluigi Paganini November 16, 2023
Vietnam Post Corporation, a Vietnamese government-owned postal service, left its security logs and employee email addresses accessible to outside cyber snoopers, Cybernews researchers have discovered. The exposed sensitive data could spell trouble if accessed by malicious actors.
On October 3rd, the Cybernews research team discovered an open Kibana instance belonging to the Vietnam Post Corporation. Kibana is a visualization dashboard for data search and analytics, helping enterprises deal with large quantities of data.
At the time of discovery, the data store contained 226 million logged events, resulting in 1.2 Terabytes of data, which was being updated in real-time. The leaked information also had employee names and emails.
Those logs were mainly attributable to cybersecurity software such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM). Some records resembled a modified version of Wazuh, an open-source security information and event management (SIEM) platform.
“Event logs can be very valuable for potential attackers, as they can help with network, user, and service enumeration and tracking,” Cybernews researchers explain.
The data store was left accessible for at least 87 days, as the internet-scanning IoT search engines indexed the data for the first time on July 8th, 2023.
Soon after the discovery on October 6th, Vietnam Post Corporation revoked public access before the Cybernews researchers could contact them. Cybernews has contacted the company but has yet to receive additional comments before publishing this article.
While the leak wouldn’t provide attackers with direct access to sensitive systems or user accounts, it contained device usernames with employee names or emails. This information enables potential attackers to identify which employees were working at a given time and which devices they were using.
“XDR tools are essential for cyber security personnel to keep track of what is happening in the network, allowing them to detect threats and respond effectively. When such systems fall into the wrong hands, it can give an attacker visibility into the network and monitor the response to potential threats they might unleash on the nodes in the network,” Cybernews researchers explain.
Malicious actors, especially state-sponsored advanced persistent threats, monitor potential weaknesses to wreak chaos in targeted systems. And security logs, listing machines, users, and their activity, would be very valuable to them.
“This leak is significant, as it could have been used to assist in an attack against a governmental organization, which is often considered critical infrastructure. It could have been used to collect information about its employee’s activities,” Cybernews researchers believe.
State-owned corporations are often responsible for critical infrastructure, which is paramount to uninterrupted operations.
One of the most notorious cyberattacks during the last few years happened when attackers managed to steal a single password to bring the Colonial Pipeline down and disrupt fuel supplies to the US Southeast.
“Vietnam Postal Corporation leak reveals that the organization was taking security seriously to the extent of using XDR and SIEM software, and they still exposed sensitive information about internal network events and nodes by failing to keep access to the collected information secure. This highlights the importance of ensuring that access to company-wide security tools remains private and only available to authorized personnel,” researchers concluded.
The recommendations provided by CyberNews researchers are available here:
https://cybernews.com/security/vietnam-post-exposes-data-including-email-addresses/
About the author: Ernestas Naprys, Senior Journalist CyberNews
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, critical infrastructure)