A recent Threatpost article discussed the possibility that malware scanning services could be the next listening outpost for criminals and nation-state attackers as services such as VirusTotal (which has a very good reputation) are becoming containers for personal, business and even classified information because of some organizations' policy decision to upload every file, document and e-mail.
I sure hope law firms are not making such decisions.
Markus Neis, threat intelligence manager at Swisscom AG, has joined the growing chorus of experts warning organizations to be more selective about data sent to scanning services. At the Kaspersky Lab Security Analyst Summit, Neis shared his research into the problem and how, with some crafted Yara rules (Google those if you don't know what those are), he was able to return thousands of e-mails marked as confidential, as well as corporate business plans and government e-mails. He also found 800 TLP (Traffic Light Protocol) Amber STIX documents from the Department of Homeland Security and 60 documents coming from the FBI which were either TLP Green or TLP Amber. TLP Amber or Red documents are not meant to be shared and are considered classified. Neis said there are no shortage of PGP keys, VPN credentials and SSH private keys sitting in documents uploaded to VirusTotal and undoubtedly other scanning services.
Google-owned VirusTotal has taken measures to cut down on abuses of its service. But licensed VirusTotal users do have the ability to download files (this may not be the case with other malware scanning services); Neis said he uploaded a Word document that contained a Canarytoken that alerted him to when the file was accessed and within two days, it had been distributed and downloaded in the U.S., Germany, Russia and Poland.
Third-party business partners are one of the biggest offenders. Business data used in outsourcing engagements is often automatically sent to a malware scanner and the original data owners are none the wiser. "It seems to be a common thing for suppliers or outsourcing contractors in India that they are uploading stuff like that," Neis said.
"The major thing is that you totally lose control over your data and encryption is no help," Neis said. "The supplier decrypts it and sends it to VirusTotal."
I agree totally with what Neis concludes:
"My hope is that people realize we can find to some extent an understanding of what is happening and that a malware repository or scanning service is not something they should use as a strategy where you're putting your data just to make sure the data you have just received is not a threat to you," Neis said. "Instead, you should go to your own security team and ask them for help. A lot of people are overwhelmed with all the email and attachments they receive. You can't blame them. What should happen is that in organizations should start enabling their own employees to learn how they should treat that, and also the security team in turn could start to block VirusTotal on the proxy and create something internal like a central point where you can hand stuff in and the security team can decide whether to upload that."
Wholesale data uploads to malware scanning containers is a very dangerous practice – for law firms and anyone else with confidential data.
Hat tip to Jeff Sallee.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology