Researchers at UK-based threat intelligence firm Cyjax have studied files submitted to three popular online malware analysis sandboxes and found that many of the publicly accessible files contain sensitive information.
The analysis was carried out over a period of three days last week and it covered three unnamed sandbox services that allow users to upload files to determine whether they are malicious or benign. All of the researched services have public feeds that allow anyone to view or download the submitted files.
Cyjax’s analysis focused on PDF documents and email files (.msg and .eml). Researchers identified over 200 invoices and purchase orders, which they say is not surprising considering that businesses often email these types of documents.
In one case, a company that provides a popular deployment tool for Windows admins — its customers include courthouses and schools — appeared to have uploaded all received purchase orders to the sandbox.
“By examining the invoices, we were able to determine who was using the software, as well as the contact details of those responsible for purchasing in each organisation: this is extremely useful information for a threat actor conducting a spear phishing or BEC fraud campaign,” Cyjax researchers said.
Cyjax also identified tens of resumes and professional certificates, including ones containing passport copies. The company also discovered publicly accessible files storing insurance certificates containing personal information such as names, phone numbers, email addresses and physical addresses.
One of the exposed files appeared to be a U.S. CENTCOM requisition form for use of military aircraft, and it included names, traveler contact details, and information about the journey.
CENTCOM and the company that uploaded all of its purchase orders have been notified and have launched investigations.
Medical and legal documents were also exposed through the malware analysis sandboxes.
The experts have also analyzed a URL scanning service over the 3-day period and found that many of the submitted URLs pointed to sensitive data hosted on services such as Google Drive and the file sharing service WeTransfer.
“The links sent to the intended recipient are deliberately large and nearly impossible to guess. By submitting them to the URL scanning service, they are being published for anyone to see and access,” Cyjax said.
In one case, a high school in the U.S. uploaded a Google Drive link pointing to a document with the names and addresses of over 200 students, along with links to resumes and scans of IDs. The school was notified, but it had not taken action by the time Cyjax published its blog post.
“The volume of sensitive documents collected in only three days was staggering. In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims,” the company said, pointing out that it will likely only get worse as more companies turn to malware sandboxes for analysis.
“While the adoption of malware sandboxes is a positive development, companies need to better understand how the files they share are processed. Many providers require payment to submit files privately, meaning that everyone who uses the free service will have their files shared by default,” Cyjax explained.