Advisory 2019-004 - Business Documents and PII Data Uploaded to Virus Total

Virus Total (VT) is an online service that analyses files and URLs for malicious code (such as viruses, worms, trojans etc) using antivirus engines.

Many enterprise security products leverage VT and its extensive database of malicious file information by uploading unidentified files for analysis.

Mossé Security has been observing that some security solutions automatically upload emails to VT that contain sensitive information (including attachments), without the knowledge or consent of the organisation.

Organisations worldwide are urgently advised to immediately:

Instruct their IT team members that have not received formal training on handling suspicious files to not upload files to Virus Total
Contact their security vendors and request guarantees that their products are not uploading their emails and files to VT without formal authorisation

In this urgent security advisory, we present files pertaining to Australian organisations but Mossé Security CSIRT confirms that organisations worldwide are affected by this.

Examples

The amount of sensitive information found on VT is staggering. Leaked documents include but are not limited to the following.

Legal Documents for In-Development/Progress Legal Cases

We identified various documents and communication fragments pertaining to a legal case involving two large infrastructure organisations: Information leakage of PII data through Virus Total

Personal Information/Transaction Transcripts

Profiles, police ticket receipts, sales invoices and property valuations: Information leakage of PII customer details through Virus Total Information leakage of PII property details through Virus Total

Children's Personal Information and Addresses

One very concerning pieces of data uncovered in our findings were children’s release/permission forms, including their name, age, address, their school and phone number. Information leakage of PII children details through Virus Total

Infrastructure Details:

Our investigation uncovered leaked infrastructure (including Powerplants) documents, detailing IP addresses, firewall rules, maintenance records, as well as operational data. Cybersecurity Advisory - Information leakage of PII IP address details through Virus Total

ID card and certification Transcripts:

Many of the emails recovered included copies of staff ID card, driver’s licenses and certificates as attachments. Information leakage of PII worksafe details through Virus Total

Business Agreements, Offer Bids, Invoices:

A large portion of documents recovered pertain to business activity including contract and business bids, as well as large purchase invoices.

Company Logistics Details: Fleet Information, Staff Competencies

Documents containing technical details of company assets, staff competencies, certificates and training levels. Information leakage of PII car details through Virus Total

Recommendations

To ensure your organisation is safeguarded against data leakage stemming from Virus Total uploads, we recommend the following:

Contact your security provider and confirm that the software currently in use does not exhibit behaviour detailed above
Ensure that junior analysts and IT professionals who have not received formal training on handling suspicious files, are not uploading unidentified files to Virus Total for analysis, without first having a senior security analyst confirm that the files do not contain any sensitive data
If you are having any doubts about a vital aspect of your cyber security, contact us immediately

Published: 16/07/2019