Security Researchers Expose Sensitive Data via Malware Analysis Sandboxes

Security experts at the UK-based threat intelligence company Cyjax have studied data submitted to three of our favorite online malware analysis sandboxes and discovered that much of the publicly accessible information contains potentially sensitive files.

The investigation was done over three days, and it included three sandbox services that let users upload files to determine whether they are malicious or not.

Cyjax's investigation centered on PDF documents and email files (.msg and .eml) specifically. The security experts found over 200 invoices and purchase orders, which is not so strange considering that companies often email this kind of documents.

In one instance, a business that provides a useful deployment tool for Windows admins seemed to have uploaded all of its received purchase orders to the sandbox.

"By examining the invoices, we were able to determine who was using the software, as well as the contact details of those responsible for purchasing in each organization: this is extremely useful information for a threat actor conducting a spear phishing or BEC fraud campaign," the Cyjax security analysts said.

Cyjax also spotted dozens of resumes and professional certificates, and even some, which had passport copies. Cyjax also uncovered publicly accessible data holding insurance certificates containing private data like names, phone numbers, email addresses, and physical addresses.

One such file seems to be a U.S. CENTCOM requisition form for use of military aircraft, and it had names, traveler contact details, and content about the journey.

CENTCOM and the firm that uploaded all of these purchase orders have been informed and have launched investigations.

Also, medical and legal documents were also spotted during the malware investigation sandboxes.

The Cyjax researchers have also analyzed a URL scanning service over the investigation period and discovered that many of the submitted URLs pointed to potentially sensitive info hosted on popular services like Google Drive and the file-sharing service WeTransfer.

"The links sent to the intended recipient are deliberately large and nearly impossible to guess. By submitting them to the URL scanning service, they are being published for anyone to see and access," Cyjax said.

In one such instance, a high school in the USA uploaded a Google Drive link leading to a .doc file with the names and addresses of over 200 students. Not only that but it had links to resumes and scans of their IDs. The school was informed by Cyjax but it had not taken action yet.

"The volume of sensitive documents collected in only three days was staggering. In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims," the security company explained. "While the adoption of malware sandboxes is a positive development, companies need to better understand how the files they share are processed. Many providers require payment to submit files privately, meaning that everyone who uses the free service will have their files shared by default," Cyjax added.