VirusTotal hacking - Hackers can access trove of stolen credentials on VirusTotal

Dubbed VirusTotal Hacking; the attack allowed researchers to access 1,000,000 login credentials exfiltrated by unencrypted crypto wallets and different types of malware.

Security researchers at SafeBreach have discovered a way to collect huge amounts of stolen user credentials only by executing searches on VirusTotal. For your information, VirusTotal is an online platform used to examine suspicious URLs and documents.

The problem with this new finding is that VirusTotal can be exploited to steal large amounts of credentials without hacking an organization’s network or buying the credentials.

Research Findings

According to SafeBreach researchers, they could collect over 1,000,000 credentials exfiltrated by unencrypted cryptocurrency wallets and different types of malware. The researchers managed to conduct the hack by executing simple searches using a $679 VirusTotal license and tools.

It all started with the curiosity to identify the kind of data a cybercriminal or hacker could collect if they have a VirusTotal license. A user with this license can perform a wide range of tasks such as searching for the service’s dataset with several queries to reveal the file type, submitted data, file name, country, file content, etc.

How Was The Hacking Planned?

SafeBreach researchers decided to hack VirusTotal to determine if a cybercriminal can exploit this service to steal credentials. Their research was based on the Google Hacking method.

Researchers were able to access sensitive data belonging to 1,300 government sites from 48 countries (Source: SafeBreach)

This method is used by criminals to scan for vulnerable websites, web shells, internet of things devices, and sensitive data leaks. Researchers revealed in their report that most information stealers collect credentials from various platforms like forums, browsers, and mail accounts and write them to a hard-coded filename, for instance, all_credentials.txt.

This file is then exfiltrated to the attacker’s C2 server from the targeted device. SafeBreach’s team of researchers used VirusTotal tools and APIs like VirusTotal Graph, search, and Retrohunt to find files containing stolen data. SafeBreach’s director of security research, Tomer Bar, stated that this is a pretty straightforward technique to steal data from VirusTotal.

It is quite a straightforward technique, which doesn’t require a strong understanding of malware. All you need is to choose one of the most common info stealers and read about it online.

Tomer Bar – SafeBreach

Malware Used in the Research

According to SafeBreach’s report, researchers used known malware like Azorult, RedLine Stealer, Raccoon Stealer, and Hawkeye in their experiment. They also used popular forums like Snatch_Cloud, DrDark to uncover sensitive data that is readily available to criminals in VirusTotal.

Furthermore, researchers used VirusTotal Query to look for binaries identified by an antivirus engine. They got 800 results in return. Then they searched for files titled DomainDetects.txt. This is one of the file names that the RedLine malware can exfiltrate. They received hundreds of exfiltrated files in return.

Example of password file exfiltrated by RedLine malware (left) – One of the ZIP files, when extracted, contained plain text login credentials for Snapchat, Apple, Facebook, and other sensitive data (middle) – One of the RAR files when extracted contained data on 500 victims, including 22,715 passwords from several different websites (right) (Source: SafeBreach)

Thereupon, they used VirusTotal Graph to explore the dataset visually and found a RAR file containing exfiltrated data belonging to around 500 victims, including 22,715 passwords from different websites, larger files with more passwords, and government-related website URLs as well.

We proved that the “VirusTotal hacking” method works at scale. A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cybercrime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity.

Tomer Bar – SafeBreach

No action from Google

Bar also revealed that the company informed Google (since Google’s subsidiary company Chronicle Security owns VirusTotal) about their findings with recommendations that the sensitive data on the website should be immediately deleted.

However, after a month, Google thanked researchers for the alert but did not delete any of the reported data/files. Therefore, at the time of writing, the reported data was still accessible to malicious elements.

ghostadmin