A Korean IT company developing and selling enterprise software has leaked over 50 million sensitive records.
The 2 TB-strong Kibana dashboard has been exposed for over two years. Cybernews researchers discovered it back in January 2023, noting the set of data was first spotted in June 2021. Our team attributed the dashboard to tmax.co.kr – a website owned by TmaxSoft, one of the Tmax brand companies.
Unfortunately, the company hasn’t yet responded to Cybernews’ disclosure emails and requests for an on-the-record comment, and the dashboard with a treasure trove of information that could easily be exploited by threat actors remains open.
In total, there are over 56 million records in the dataset. However, some entries are duplicates.
The leaked data included:
- Employee names, emails, and phone numbers
- Employee/employment contract numbers
- Contents of sent attachments (docx, pdf)
- Metadata of sent binaries (executable names, the file path of where they were stored, version names, etc.)
- Employee IPs, user agents, and URLs of accessed internal tools
- Internal issue tracking messages
“These types of leaks are particularly valuable for advanced attackers, or Initial Access Brokers, as they reveal a lot of internal information, allowing the attacker to better understand what they’re up against and choose which employee to impersonate to gain access to specific tools,” Cybernews researchers noted.
Since TmaxSoft specializes in middleware solutions to “help companies leverage critical data,” the leaked data could be exploited in a supply chain attack, affecting Tmax clients and providers.
On its website, TmaxSoft claims to be partnering with major tech companies worldwide, including AWS, Google Cloud, Intel, VMware, and Intel, among others.
“The information related to their projects could be used by their competitors and assist in reverse engineering efforts, or could also be used to find and abuse any exploits that could be revealed by that information,” researchers said.
Since Cybernews is on a mission to make the internet a safer place and follows responsible disclosure guidelines, we recommend that Tmax and any company dealing with a similar issue follow these guidelines to mitigate the risk and prevent similar issues in the future:
- Employee emails – the company should change its email naming structure, employ stricter SPAM filtering policies, and provide training for employees on how to spot and report phishing emails.
- The company should change employee phone numbers and start using EDR on employee phones.
- Employee/employment contract numbers – the company should make sure that they don’t use these as secrets (username or password, or a second-factor authentication).
- Contents of sent attachments and binary metadata – the company should review these documents, looking for any weak points that might be abused, and update their threat landscape according to their findings.
- The company could provide credit and dark web monitoring services for their employees.
- Employee IPs, user agents, and URLs of accessed internal tools – the company should monitor these tools more closely and not rely on Static IPs or user agents to verify the legitimacy of the connection.
- Internal issue tracking messages – the company should prioritize fixing any tracked issues that could compromise the security of their products.
Most of the data that was leaked was company information and company emails, meaning most of the mitigation techniques should be applied by Tmaxsoft themselves.
We’ve also contacted The National Computer Emergency Response Team in Korea (KrCERT/CC), asking for their help in contacting the company and helping it patch the vulnerability.
More from Cybernews:
Subscribe to our newsletter