[German]The web service virustotal.com (founded by the Spanish company Hispasec Sistemas, taken over by Google), which has been operated by Google since 2012, is popular among security researchers and companies for checking suspicious files for malware. However, there are warnings about how critical automated documents uploaded to Virustotal are with regard to data protection and data leaks, because the data can be viewed by third parties. And even registering with virustotal.com is not a good idea, as a data leak shows. The Austrian media STANDARD has received a list of registered customers of virustotal.com, which disclose names of employees including e-mail addresses. Some of those affected, from secret services or companies, would rather not see their data in public.
The platform virustotal.com points out in its terms and conditions that the uploaded files are viewed by third parties. If the documents contain internal company information or explosive material, this becomes public when uploaded. Therefore, the service is helpful, but latently bears the risk that something can go tremendously wrong when using it. In addition to a BSI warning from 2022, a new case shows what can go wrong.
In March 2022, German Federal Office for Information Security (BSI) had published a security warning (PDF document in German) dealing with automatic file uploads.
In the document, a screenshot was published where the BSI suspects that leaked BSI alerts from recipients of the BSI distribution list are automatically uploaded to virustotal.com. If a list with the BSI distribution list is then also uploaded to virustotal.com, the recipients would be quasi-public – something that should/will be avoided. This is because many of the people do not want to be publicly identified with their work.
New leak exposes virustotal customer list
The Austrian STANDARD has received a file of only 313 kilobytes that would have been better never to become public. At the end of July 2023, this file probably reached the Internet via a data leak. The file is explosive: It contains a list of 5,600 names of customers of the virustotal.com platform who were registered there. This includes employees of the US intelligence agency NSA and German intelligence agencies.
How the file exactly became public (e.g. as an upload to Virustotal) is not revealed. However, based on the characteristics of the data, the file must have originated from the inner environment of virustotal.com.
The STANDARD, which has the file with the list, writes that in each case it contains the name of the organization and the e-mail address of the employees who registered the account on virustotal.com.
- 20 accounts belong to the U.S. "Cyber Command"; also represented are users of the U.S. Department of Justice, the U.S. Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
- According to STANDARD, other accounts belong to official bodies from the Netherlands, Taiwan and Great Britain.
- From Austria, addresses from the Federal Ministry of Defense and the Interior Ministry are on the list.
- Three employees of the German BSI are also listed – site Golem write that employees of the Federal Criminal Police Office (BKA), the Military Counter-Intelligence Service (MAD) and the Federal Office for Telecommunications Statistics (BFSt) are also included in the list.
- The list also includes employees of German companies: around 30 employees of Deutsche Bahn, as well as other employees of the Bundesbank and various Dax giants such as Allianz, BMW, Daimler and Deutsche Telekom are represented, it says.
According to the STANDARD, it has checked the data together with German news magazine Der Spiegel, and the data is probably genuine. The incident shows how critical online activities are when data gets into the hands of unauthorized third parties via a leak. In the above case, there is a risk that the captured data will be misused for cyber attacks by means of social engineering.
Some more details
Addendum: Recorded Future News reported within this article, that emails for ministries in Germany, Japan, the United Arab Emirates, Qatar, Lithuania, Israel, Turkey, France, Estonia, Poland, Saudi Arabia, Colombia, the Czech Republic, Egypt, Slovakia and Ukraine has been found in the leaked file. The media cites a Google spokesman as:
We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform.
We removed the list from the platform within an hour of its posting and are looking at our internal processes and technical controls to improve our operations in the future.
UK Ministry of Defence (accounts for almost half of the emails associated with the gov[.uk] domain) getting cited, that:
We are aware of a data breach from a third party involving the details of MoD employees. None of the data was sensitive and all details have now been removed.
The National Cyber Security Centre is understood to be aware of the leak and unconcerned about its potential impact. A spokesperson for the Nuclear Decommissioning Authority (NDA) said to Recorded Future News: "Employee email addresses may be available in the public domain for a variety of reasons, which is why we provide ongoing training and awareness for staff of the risks associated with phishing emails."
The Pensions Regulator told Recorded Future News: "We take cyber security extremely seriously and have controls in place to prevent malicious emails from infiltrating our systems."
BTW, the leaked list reveals, that some military personnel are using personal accounts with email providers like Gmail, Hotmail, and Yahoo. So impacted organizations considers it a low-risk incident.
Cookies helps to fund this blog: Cookie settings