Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Organizations Expose Sensitive Data via Malware Analysis Sandboxes

Researchers at UK-based threat intelligence firm Cyjax have studied files submitted to three popular online malware analysis sandboxes and found that many of the publicly accessible files contain sensitive information.

Researchers at UK-based threat intelligence firm Cyjax have studied files submitted to three popular online malware analysis sandboxes and found that many of the publicly accessible files contain sensitive information.

The analysis was carried out over a period of three days last week and it covered three unnamed sandbox services that allow users to upload files to determine whether they are malicious or benign. All of the researched services have public feeds that allow anyone to view or download the submitted files.

Cyjax’s analysis focused on PDF documents and email files (.msg and .eml). Researchers identified over 200 invoices and purchase orders, which they say is not surprising considering that businesses often email these types of documents.

In one case, a company that provides a popular deployment tool for Windows admins — its customers include courthouses and schools — appeared to have uploaded all received purchase orders to the sandbox.

“By examining the invoices, we were able to determine who was using the software, as well as the contact details of those responsible for purchasing in each organisation: this is extremely useful information for a threat actor conducting a spear phishing or BEC fraud campaign,” Cyjax researchers said.

Cyjax also identified tens of resumes and professional certificates, including ones containing passport copies. The company also discovered publicly accessible files storing insurance certificates containing personal information such as names, phone numbers, email addresses and physical addresses.

One of the exposed files appeared to be a U.S. CENTCOM requisition form for use of military aircraft, and it included names, traveler contact details, and information about the journey.

CENTCOM and the company that uploaded all of its purchase orders have been notified and have launched investigations.

Medical and legal documents were also exposed through the malware analysis sandboxes.

The experts have also analyzed a URL scanning service over the 3-day period and found that many of the submitted URLs pointed to sensitive data hosted on services such as Google Drive and the file sharing service WeTransfer.

“The links sent to the intended recipient are deliberately large and nearly impossible to guess. By submitting them to the URL scanning service, they are being published for anyone to see and access,” Cyjax said.

In one case, a high school in the U.S. uploaded a Google Drive link pointing to a document with the names and addresses of over 200 students, along with links to resumes and scans of IDs. The school was notified, but it had not taken action by the time Cyjax published its blog post.

“The volume of sensitive documents collected in only three days was staggering. In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims,” the company said, pointing out that it will likely only get worse as more companies turn to malware sandboxes for analysis.

“While the adoption of malware sandboxes is a positive development, companies need to better understand how the files they share are processed. Many providers require payment to submit files privately, meaning that everyone who uses the free service will have their files shared by default,” Cyjax explained.

Related: First American Financial Exposed Millions of Sensitive Documents

Related: Provider of Data Integration Services for Fortune 100 Firms Exposed Sensitive Files

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...