Misuse of Alphabet’s Virus Scanner is Exposing Sensitive Files
Companies are misusing Alphabet Inc.’s virus scanner and similar products, and are unwittingly leaking data such as factory blueprints to intellectual property online, Israeli cybersecurity company Otorio Ltd. said.
The firm said it discovered thousands of unprotected files from companies in the pharmaceutical, industrial, automotive and food industries as part of a project to research the malware logged by VirusTotal, which is owned by Alphabet cyber security subsidiary Chronicle. Otorio didn’t find any documents uploaded to VirusTotal that had been used in a cyber attack.
“From what we found, we could design a very constructive hack. We found files that gave us a blueprint of how to infiltrate the production floor,” said Otorio Chief Executive Officer Daniel Bren, a reserve brigadier general who established the Israeli army’s cyber defense unit. “The companies’ trademarked secrets are on those blueprints.”
VirusTotal makes scanned documents available to cybersecurity firms and researchers to help improve the detection of malware. Scanning incoming files for malicious attacks with online services is common practice, but some security teams are uploading files indiscriminately, without understanding the terms of use or the potential risk, Otorio said.
The Israeli firm, which specializes in cybersecurity for industrial control systems, contacted VirusTotal about its findings in July, and Otorio said the company agreed that there was a need to raise awareness about how the service works and how security applications should be configured. The idea, said Bren, was to make the industrial sector aware of the problem so “they improve the situation, and not to poke them in the eye.”
VirusTotal’s online terms of service states, in all caps, that users agree to only upload samples that they wish to publicly share and warns them not to submit anything that includes confidential, commercially sensitive or personal data without permission.
Researchers working for academic institutions and cybersecurity companies can get access to the uploaded data after some screening and meeting certain criteria, which includes promising not to make commercial use of the information, Bren said. Rogue researchers may easily misuse this important service and publish documents, he said.
A representative for VirusTotal said that the company screens all customers before giving them access to the data. Researchers don’t have searchable access to the file base and customers that are found to abuse any data are cut off, the representative said. VirusTotal will also remove information that’s uploaded by mistake.
Google acquired VirusTotal in 2012 and the firm was later moved to parent company Alphabet’s Chronicle subsidiary.
The types of project files uploaded may contain anything from information about supply chains to building entry points. Exposing them could lead to incidents similar to the ransomware attack that hit aluminum producer Norsk Hydro ASA in March, Otorio said. That attack caused production outages as the rogue agents stopped computer systems from working while they demanded a ransom.