Here the whole truth and what they haven't told you about the VirusTotal case (owned by Google) and the discovery of the Israeli company SafeBreach. That it is not as it has been commented in several media, including this one letting itself be carried away by sources that implied something different. Therefore, from LxA I apologize to VT and I will try to comment on what really happened, which is not as serious as it seemed.
What was implied?
As it was hinted about this case is that SafeBreach, was an alleged weakness discovered by this company in VirusTotal, which also led to news about alleged attacks on the VT service (which were not such), and even alleged contacts with Google (owner of VirusTotal through the Chronicle Security subsidiary) so that correct this problem. However, Google has been keeping quiet. The reason? You will understand in the next section...
Supposedly, with a $600 VirusTotal monthly license you could get access to endless user credentials using a few simple searches within this service. Among which there may be files with stolen data (email addresses, usernames, passwords, access credentials to social networks, e-commerce sites, streaming platforms, online government services, online banking, and even passwords). of private cryptocurrency wallets).
According to Bar, one of the SafeBreach researchers, “Our goal was to identify the data that a criminal could collect with a VirusTotal license«, a method they have baptized as VirusTotal Hacking.
"An offender using this method may collect an almost unlimited amount of credentials and other sensitive user data with very little effort in a short period of time using an infection-free approach. We call it the perfect cybercrime, not only because of the fact that there is no risk and very low effort, but also because of the inability of victims to protect themselves from this type of activity. After victims are hacked by the original hacker, most have little visibility into what sensitive information is uploaded and stored on VirusTotal and other forums".
Now the truth about what happened with VirusTotal
Malaga-based VirusTotal launched a service called VT Intelligence in 2009 to take advantage of all the information that comes to this multi antivirus online. This portal was launched as a large database for researchers in the cybersecurity sector and companies with security departments, being able to access all this data with the aim of investigating and improving the security of their products and users.
Restricted access to VT Intelligence
In other words, neither users with the aforementioned $600 license nor other cybercriminals could access such data, nor could any company access VT Intelligence. Everyone who has access goes through a vetting process to verify that the company is trustworthy and reputable, in addition to having a suitable use case to access that database.
Database content and sources
That database contains very diverse information, with threats of all kinds, from malware, to advanced exploits, through phishing kits, hacking tools taken from underground hacking forums, carding, logs (records) and files with credentials that have been exposed on those sites, etc.
All that comes from various sources:
- Companies
- CERTs
- anonymous users
- Via API from many other sites
- Etc
Reassuring users
Therefore, when SafeBreach has obtained any of those files with credentials or logs with sensitive information, it is because that data was compromised or leaked prior to reaching the VT Intelligence database. In other words, VirusTotal is not the source from which this private data emanates, but rather it is an intermediate database between the threats that allowed this data to be extracted and the SafeBreach experiment.
Entities with access to VT Intelligent can thus access all this information to put solutions or notify your customers that they may have been affected by these cyberattacks or leaks.
Conclusion
VirusTotal cannot be used as a source to extract sensitive data as SafeBreach hints. These are credentials that the vast majority have already been modified when it was reported that they had been exposed. And if they haven't been changed, they probably won't have much of an impact.
What's more, if you don't reach VirusTotal, in the same way they would continue to be exposed on the sites from which cybersecurity researchers extracted them.
The only thing that SafeBreach has done, apart from creating all this fuss, is a thought exercise about what would happen if a suspected attacker could gain access to VT Intelligence.
Zero drama!