Companies that scan binaries using VirusTotal — or other cloud scanning services — may expose sensitive data to the public, especially when developers scan internally-developed applications using the service, managed security firm DirectDefense warned on Aug. 9.
The problem came to light when the company found information belonging to clients of endpoint detection and response (EDR) firm Carbon Black exposed through VirusTotal’s service.
The EDR provider allows customers to optionally scan system and program files using the VirusTotal service. But in doing so, companies often do not realize that premium subscribers of the VirusTotal service get access to the submitted files. In effect, any company or government agency with premium access to VirusTotal’s application programming interface (API) can mine those files for sensitive data.
“Cloud-based multiscanners operate as for-profit businesses,” Jim Broome, president of DirectDefense, stated in the analysis. “They survive by charging for access to advanced tools sold to malware analysts, governments, corporate security teams, security companies, and basically whomever is willing to pay. Access to these tools includes access to the files submitted to the multiscanner corpus— it’s hard to analyze malware that you don’t have.”
Security professionals at DirectDefense used its access to scan for internal corporate files uploaded to the VirusTotal service, identifying a variety of sensitive pieces of data that had been included in scanned binaries, such as web API and cloud keys, user credentials, app-store keys, customer data and a variety of developer-specific information.
Using the information, attackers could shutdown a victim’s cloud infrastructure, issue malicious updates to mobile applications or compromise a firm’s software development process, DirectDefense’s Broom told eWEEK. The problem is that companies trust their security provider without realizing the impact caused by the data going to a third-party provider.
“We want people to be aware of this danger,” he said. “We believe this issue is much broader than just one vendor.”
The analysis, published on Aug. 9 on DirectDefense’s blog, is not the first time that researchers found security software potentially being an avenue for data leaks. Compromised computers with no direct access to the Internet could still have data exfiltrated by attackers using the security software’s cloud sandbox as a channel to the Internet, security firm SafeBreach stated in research presented at the Black Hat Security Briefings in Las Vegas last month.
Carbon Black objected to the research and its publication, noting that the company was not notified of DirectDefense’s analysis prior before that company published the blog post. Carbon Black stressed that Cb Response, its EDR product, does not send files for analysis through VirusTotal by default, but only if the client activates the feature.
“It is a feature, off by default, with many options to ensure privacy, and a detailed warning before enabling,” the company stated in its own blog post.
DirectDefense argued in a blogged response that the feature is often activated, because clients are frequently urged to do so.
“[T]he recommendations or messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans,” DirectDefense’s Broome stated in the blog post.
VirusTotal’s paid-for service allows access to its Private API 2.0, which allows companies to use a larger set of function calls at a higher data rate. The ability to download files matching certain criteria – such as those uploaded by a specific provider – is part of the Private API 2.0. The capability is intended to allow security-software providers to download files to test their systems.
In an interview, Broome underscored that, while Carbon Black’s success means it's the largest enabler of data leaks through cloud analysis services, other security providers may also be putting their clients at risk. This is a bigger conversation than just Carbon Black or VirusTotal, he told eWEEK.
“There are a lot of solutions that are following a similar kind of model,” he said. “At the end of the day, customers, when we tell them that we found your data here, in most cases, they are pretty shocked. We can get into a larger argument about EULAs, but they didn’t realize, or didn’t read the fine print to realize, that their data is going somewhere else and being resold.”