Pierluigi Paganini August 19, 2019

A study conducted by researchers at Cyjax revealed that organizations expose sensitive data via sandboxes used for malware analysis.

Experts at the threat intelligence firm Cyjax analyzed file uploaded by organizations via malware analysis sandboxes and discovered that they were exposing sensitive data.

The researchers analyzed PDF documents and email files (.msg and .eml) uploaded to three unnamed sandbox services over a period of three days last week. All the sandboxes analyzed by the experts provide public feeds that allow users to view or download the files submitted by the users.

200 benign files were invoices and purchase orders. In one case, the experts discovered that a company that provides a popular deployment tool for Windows admins was submitting all received purchase orders into the sandbox. The company was ignoring that all these files were made public via the feed implemented by the sandbox service.

“By examining the invoices, we were able to determine who was using the software, as well as the contact details of those responsible for purchasing in each organisation: this is extremely useful information for a threat actor conducting a spear phishing or BEC fraud campaign,” reads the report published by Cyjax.

Cyjax reported that CVs and professional certificates were also prevalent, exposed files contained ID photographs and addresses, and in two cases passport copies. The public availability of such kind of information could expose the owners to identity theft and other scams.

The experts also discovered a large number of insurance certificates that expose various personally identifiable information (PII), such as names, phone numbers, postal and email addresses.

One of the files exposed via the malware analysis sandboxes appeared to be a U.S. CENTCOM requisition form for use of military aircraft. The document included confidential information such as names and contact details of the travellers, alongside the journey details (future dated) and reasons for travel.

The files also included medical and legal documents.

The researchers also analyzed the URL submitted by the users to a URL scanning service over the 3-day period. Many URLs submitted to the service were pointing to sensitive data hosted on the file sharing service WeTransfer and cloud storage services such as Google Drive.

“The volume of sensitive documents collected in only three days was staggering. In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims.” concludes the company.

“While the adoption of malware sandboxes is a positive development, companies need to better understand how the files they share are processed. Many providers require payment to submit files privately, meaning that everyone who uses the free service will have their files shared by default.

We predict that this problem is likely to get worse as more companies add sandboxing to their security pipeline, underscoring the importance of educating employees now.”

Pierluigi Paganini

(SecurityAffairs – sandboxes, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]