"Security Researchers Say Attackers Can Access Unlimited Stolen User Credentials Through Simple VirusTotal Hacking Techniques"
Security researchers at SafeBreach found a way to collect millions of stolen user credentials by executing searches on VirusTotal, Google's malware analysis platform. The team collected 1 million credentials using a VirusTotal license, a few premium platform tools, and Application Programming Interfaces (APIs). An attacker with a VirusTotal license can query the platform's dataset with a combination of queries for file type, file name, submitted data, country, file content, and more. The team demonstrated the infection-free approach called VirusTotal hacking, which is based on Google hacking, where criminals search for vulnerable systems, Internet of Things (IoT) devices, and web shells. Attackers collect credentials from forums, mail accounts, browsers, and other sources, and then write them to a fixed hard-coded file. The information stealers will then take this file from the victim's device and send it to a command-and-control (C2) server. The team used VirusTotal tools and APIs such as search, VirusTotal Graph, and Retrohunt to find files containing stolen data. They searched for data leaked via known malware, including RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye. The researchers showed how criminals could apply this method to collect an unlimited number of credentials and other user-sensitive data with little effort in a short amount of time using the VirusTotal hacking approach. They disclosed their findings to Google and recommended periodically searching and removing files containing sensitive user data from VirusTotal. The team also recommended banning API keys that upload stolen user credentials and implementing an algorithm to prevent the uploading of sensitive data files. This article continues to discuss the VirusTotal hacking techniques and how Google can combat them.