Accidental VirusTotal upload is a valuable reminder to double check what you share

Christopher Boyd

Christopher Boyd

A document accidentally uploaded to Googleā€™s VirusTotal service has resulted in the potential exposure of defence and intelligence agency names and email addresses. The service, used to scan files for signs of potential malicious activity, is used by security professionals and folks just interested in the files making their way to their systems.

The list makes up roughly 5,600 of the siteā€™s customers, and identities multiple security-centric entities. The Record cites individuals affiliated with the NSA, FBI, Pentagon, and other US military service branches. Meanwhile, the UK tally includes ā€œa dozen Ministry of Defence personnelā€, and emails tied to CERT-UK/National Cyber Security Centre, a part of the UKā€™s Government Communications Headquarters (GCHQ).

Sadly the emails listed are not entirely anonymous. There are full names tied to emails from the Ministry of Defence, Pensions Regulator, and the Cabinet Office, among others.

The file was removed by VirusTotal within an hour of it being uploaded. Commentary from some of the impacted organisations suggest this isnā€™t that big of a deal. The UKā€™s Ministry of Defence told The Record that they consider the data to be non-sensitive, and also low risk. This is of course good news, and much better than everyone running around yelling that the sky is falling.

While there is some element of risk here, itā€™s important not to get carried away. Someone genuinely determined to pull up a name or email address can usually do it by checking relevant websites or simply asking around. After all, what use is an email address if you canā€™t email people?

As for VirusTotal itself, submitted files can be shared and analysed via the security organisations tied to the scanning service. The results are often findable online via search engine, or hunting for specific file characteristics while on the VirusTotal website. You may also sometimes see VirusTotal pages linked directly from security blogs such as our own. Accidents of this nature tend to come about because folks making use of the service donā€™t quite realise the way data is used once submitted.

In March of last year, semi-automated uploads to VirusTotal were flagged by the German Bundesamt fĆ¼r Sicherheit in der Informationstechnik (BSI). This translates as the Federal Office for Security in Information Technology. In some cases, the documents being uploaded were confidential and should not have made their way to the VirusTotal service.

As we said at the time, files uploaded are not only shared with the 70 or so security vendors making up the bulk of the visible scanning service. Theyā€™re also potentially accessible to those making use of the premium features. If you make a mistake when uploading, it could be a costly one. In fact, a mistake uploading can be costly anywhere.

Iā€™d be surprised if thereā€™s anyone reading this who hasnā€™t, at some point, hit publish when they shouldnā€™t have, mailed a file that should have stayed where it is, or posted a message publicly when it was supposed to be private. It happens!

There is almost never a need to rush a process, and plenty of need to double check whatever you happen to have in the ā€œabout to sendā€ box. Some organisations will restrict what can (and cannot) be uploaded. In most cases though, the onus will be on the uploader to get it right the first time.

We have some tips with regard to VirusTotal below:

Receivers:

  • If you are in the least bit uncertain about the safety of an attachment, contact the sender and ask them about it.
  • Donā€™t use VirusTotal if you want to check whether an attachment is malicious. The result is not conclusive and you may breach confidentiality.
  • Never click on links in emails or email attachments.
  • Never ā€œEnable Editingā€ in a document, unless the sender in person assured you it was safe.

Senders:

  • Only use attachments that could be perceived as dangerous when itā€™s absolutely necessary.
  • Inform recipients about the fact that you are sending them an attachment and for what reason.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Follow the link.