Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Organizations Expose Sensitive Data via Malware Analysis Sandboxes

Researchers at UK-based threat intelligence firm Cyjax have studied files submitted to three popular online malware analysis sandboxes and found that many of the publicly accessible files contain sensitive information.

Researchers at UK-based threat intelligence firm Cyjax have studied files submitted to three popular online malware analysis sandboxes and found that many of the publicly accessible files contain sensitive information.

The analysis was carried out over a period of three days last week and it covered three unnamed sandbox services that allow users to upload files to determine whether they are malicious or benign. All of the researched services have public feeds that allow anyone to view or download the submitted files.

Cyjax’s analysis focused on PDF documents and email files (.msg and .eml). Researchers identified over 200 invoices and purchase orders, which they say is not surprising considering that businesses often email these types of documents.

In one case, a company that provides a popular deployment tool for Windows admins — its customers include courthouses and schools — appeared to have uploaded all received purchase orders to the sandbox.

“By examining the invoices, we were able to determine who was using the software, as well as the contact details of those responsible for purchasing in each organisation: this is extremely useful information for a threat actor conducting a spear phishing or BEC fraud campaign,” Cyjax researchers said.

Cyjax also identified tens of resumes and professional certificates, including ones containing passport copies. The company also discovered publicly accessible files storing insurance certificates containing personal information such as names, phone numbers, email addresses and physical addresses.

One of the exposed files appeared to be a U.S. CENTCOM requisition form for use of military aircraft, and it included names, traveler contact details, and information about the journey.

CENTCOM and the company that uploaded all of its purchase orders have been notified and have launched investigations.

Advertisement. Scroll to continue reading.

Medical and legal documents were also exposed through the malware analysis sandboxes.

The experts have also analyzed a URL scanning service over the 3-day period and found that many of the submitted URLs pointed to sensitive data hosted on services such as Google Drive and the file sharing service WeTransfer.

“The links sent to the intended recipient are deliberately large and nearly impossible to guess. By submitting them to the URL scanning service, they are being published for anyone to see and access,” Cyjax said.

In one case, a high school in the U.S. uploaded a Google Drive link pointing to a document with the names and addresses of over 200 students, along with links to resumes and scans of IDs. The school was notified, but it had not taken action by the time Cyjax published its blog post.

“The volume of sensitive documents collected in only three days was staggering. In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims,” the company said, pointing out that it will likely only get worse as more companies turn to malware sandboxes for analysis.

“While the adoption of malware sandboxes is a positive development, companies need to better understand how the files they share are processed. Many providers require payment to submit files privately, meaning that everyone who uses the free service will have their files shared by default,” Cyjax explained.

Related: First American Financial Exposed Millions of Sensitive Documents

Related: Provider of Data Integration Services for Fortune 100 Firms Exposed Sensitive Files

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...