A list of 5,600 names, including people from prominent institutions such as the US National Security Agency (NSA) and the German intelligence services, unexpectedly appeared online in a 313-kilobyte file at the end of June. The domains had one thing in common: they were all registered with VirusTotal, an important and often controversial website lauded for its crucial role in thwarting cyber attacks.
With its ability to serve as a large malware database, VirusTotal allows users to submit files or URLs that may be associated with malicious activity. These submissions are then painstakingly cross-checked against the databases of 70 anti-virus software vendors to identify suspicious lines of code that could be Trojan horses or other malicious malware residing on a machine. The result is the creation of a vast global collection of digital attack tools – a so-called malicious code library.
Despite its popularity among IT security professionals, VirusTotal has not always been without controversy. The German Federal Office for Information Security (BSI) recently warned against automatically posting potentially sensitive files on the platform after learning that some companies had unintentionally disclosed private internal information, creating a backdoor for corporate espionage. State actors, such as intelligence services, could potentially use this vulnerability for malicious purposes.
The exposed data revealed the names and email addresses of VirusTotal’s users, shedding light on the company’s customer base. The collection includes a number of government organizations, including the US Department of Justice, the FBI, the NSA, the US Cyber Command, as well as organizations from the Netherlands, Taiwan and the UK.
The Federal Police, the Federal Criminal Police Office and the Military Counterintelligence Service (MAD) are also named in the leak, all of which are of major importance. In addition, employees of well-known German companies were identified, including Deutsche Bahn, Bundesbank, Allianz, BMW, Mercedes-Benz and Deutsche Telekom.
VirusTotal is in trouble
While the leak doesn’t reveal passwords or other sensitive information, it does expose the identities of those responsible for malware removal and IT security within their respective organizations, making them potentially vulnerable to targeted phishing or social engineering attacks.
The magnitude of this breach is compounded by the fact that Google, a major technology company known for its strong cybersecurity efforts, owns VirusTotal. Notably, it is rare for data from Google’s internal systems to be leaked and made public.
Concerns have been raised about the functionality of VirusTotal and possible platform vulnerabilities as a result of this incident. VirusTotal was originally designed as a virus detection tool, but has become a hub for a variety of information other than malicious software. Ironically, hackers are using the platform to test how well their malware can evade antivirus programs, profiting from the very site designed to protect consumers from online dangers.
VirusTotal offers free basic services, but some customers opt for expensive plans that allow them to store uploaded files on the company’s servers. IT security specialists have long suspected that government agencies and intelligence services routinely use VirusTotal to test the effectiveness of their attack codes in detecting different anti-virus software vendors.
Affected companies have implemented security measures in response to the disclosure. Federal authorities are being warned by the BSI not to upload data to VirusTotal while still relying on it as a source of information. Similar steps have been taken by Deutsche Telekom and other affected companies to mitigate any risks associated with the leaked data.
This event is a sad reminder of the importance of protecting sensitive information and the need for constant vigilance in the ever-changing world of cyber security.