Vietnam Post exposes 1.2TB of data, including email addresses

Vietnam Post Corporation, a Vietnamese government-owned postal service, left its security logs and employee email addresses accessible to outside cyber snoopers, Cybernews researchers have discovered. The exposed sensitive data could spell trouble if accessed by malicious actors.

On October 3rd, the Cybernews research team discovered an open Kibana instance belonging to the Vietnam Post Corporation. Kibana is a visualization dashboard for data search and analytics, helping enterprises deal with large quantities of data.

At the time of discovery, the data store contained 226 million logged events, resulting in 1.2 Terabytes of data, which was being updated in real-time. The leaked information also had employee names and emails.

Those logs were mainly attributable to cybersecurity software such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM). Some records resembled a modified version of Wazuh, an open-source security information and event management (SIEM) platform.

“Event logs can be very valuable for potential attackers, as they can help with network, user, and service enumeration and tracking,” Cybernews researchers explain.

The data store was left accessible for at least 87 days, as the internet-scanning IoT search engines indexed the data for the first time on July 8th, 2023.

Soon after the discovery on October 6th, Vietnam Post Corporation revoked public access before the Cybernews researchers could contact them.

A Vietnam Post representative explained that its IT team detected and immediately fixed this incident, which “was unexpected negligence from the partner that we are renting email services and monitoring our email system from.” The incident did not affect production and business activities, nor partners and clients, as it contained “only basic monitoring log information.”

Vietnam Post has coordinated with Vietnam’s Department of Information Security and partners to resolve the issue immediately and “have also prevented unfortunate errors from occurring and ensured the safety of the information system.”


State-sponsored hackers on the hunt

While the leak wouldn’t provide attackers with direct access to sensitive systems or user accounts, it contained device usernames with employee names or emails. This information enables potential attackers to identify which employees were working at a given time and which devices they were using.

“XDR tools are essential for cyber security personnel to keep track of what is happening in the network, allowing them to detect threats and respond effectively. When such systems fall into the wrong hands, it can give an attacker visibility into the network and monitor the response to potential threats they might unleash on the nodes in the network,” Cybernews researchers explain.

Malicious actors, especially state-sponsored advanced persistent threats, monitor potential weaknesses to wreak chaos in targeted systems. And security logs, listing machines, users, and their activity, would be very valuable to them.

“This leak is significant, as it could have been used to assist in an attack against a governmental organization, which is often considered critical infrastructure. It could have been used to collect information about its employee's activities,” Cybernews researchers believe.

State-owned corporations are often responsible for critical infrastructure, which is paramount to uninterrupted operations.

One of the most notorious cyberattacks during the last few years happened when attackers managed to steal a single password to bring the Colonial Pipeline down and disrupt fuel supplies to the US Southeast.

“Vietnam Postal Corporation leak reveals that the organization was taking security seriously to the extent of using XDR and SIEM software, and they still exposed sensitive information about internal network events and nodes by failing to keep access to the collected information secure. This highlights the importance of ensuring that access to company-wide security tools remains private and only available to authorized personnel,” researchers concluded.

Mitigation 101

Organizations should ensure that software is configured securely and all relevant access control methods are used to avoid this type of leak.

“Employees should be aware that leaked emails could be used for targeted phishing attacks. Therefore, they should take incoming communications with more caution. The Vietnam Post Corporation should ensure that employees have undergone basic cybersecurity training and can spot phishing attacks,” researchers suggest.

Regarding software logs, the company should evaluate its current access control policies to ensure they are appropriate and cannot be easily violated by human error.

“The security teams should investigate if the leaked information is potentially being used in attacks against their network. Additionally, they should consider changing the policy of usernames or authentication tokens to ensure such leaks do not expose employees' personal information,” the report reads.

Vietnam Postal Corporation is a Vietnamese government-owned postal service. It also provides financial, life, and non-life insurance services, including bill collection and payments. Established in 2005, the organization currently employs over 70 thousand people.

Updated with Vietnam Post's comment.