SafeBreach Researchers Outline How Hackers Could Maliciously Leverage Google’s VirusTotal Service

SafeBreach released a research blog on how they were able to obtain large amounts of sensitive data using Google’s VirusTotal service in combination with other known malware services and hacker forums.


We spoke with Tomer Bar, SafeBreach about the research and what makes this finding highly relevent for the security community.

Can you explain your finding? What makes this unique?


Virus Total owned by Google is one of the biggest public malware dataset in the world. This service allows everyone to upload suspicious files, each file will be scanned by at least 70 endpoint security engines and the results will be displayed for the user to decide if this file is malicious or not. Virus Total also provide a paid license service which offers advanced search capabilities on the dataset, downloading of any file, pivoting from one file to another, etc.

We found out that a criminal that purchased the most limited license for a couple of hundred dollars will have the ability to search and obtain victims' sensitive data that was stolen by other hackers and uploaded to VirusTotal.


What surprised you most about this finding?


In total we found almost 1 Million credentials in a few days and unencrypted cryptocurrency wallets, but even more surprising is that the collected credentials were also for government sites which will allow the criminals to easily steal the identity of the victim and use it outside of the cyber arena. This is a unique technique that allows a criminal with minimal knowledge to achieve access to a large amount of sensitive data and steal money from victims with minimal efforts and with almost no risk of being caught.


What can organizations do to protect themselves from attacks like this?


Organizations should follow cyber security best practices to protect themselves from the original hacker's attack. Once the data is stolen, they have less control over where it is published. The mitigation of the publication of data in a public dataset should be done from the vendor\dataset owner like removing or disallowing uploads of files that contain sensitive data.


Do you expect that we will see this type of attack in another form in the future?


Attackers will always try to find the loophole and break the chain by its weakest link. In the Windows exploitation world, the cost from a memory corruption vulnerability to a working 0-day exploit increased to a level that forces the hackers to look for easier and more profitable vectors. They began to use logical bugs like Log4j, social engineering tricks and even a few

ago started using Microsoft Office files (a method that was common 20 years ago). We believe that we will see this trend surge when the cost of attacks increase sto a level that will force hackers to think out of the box.


###