Israeli startup: Google VirusTotal can help hackers

Itzik Kotler photo: SafeBreach
Itzik Kotler photo: SafeBreach

SafeBreach: We warned Google of the problem, which affects computers not connected to the Internet, but they didn't get back to us.

Israeli cybersecurity company SafeBreach simulates attacks by hackers against organizations in order to spot weak points and deal with them. In recent months, one matter in particular has been grabbing the company's attention: the way hackers are liable to use antivirus and online tools for analyzing viruses to extract sensitive information from computers. Last July, CTO Itzik Kotler (who founded the company with CEO Guy Berejano) and VP security research Amit Klein presented their study at the BlackHat cyber conference in Las Vegas.

"We talked about ways that information can leak from computers that are not directly connected to the Internet; such as the ones used by very secure companies and agencies like the Ministry of Defense," Kotler told "Globes." Another study, reported here for the first time, was written by SafeBreach security researcher Dor Azuri. He presents ways in which attackers can gather the information from unconnected computers without being exposed using platforms designed to stop hackers, headed by Google's VirusTotal.

"There are diverse ways for attackers to get to unconnected computers," Kotler says. "Such events usually go unreported, but it can be an employee in an organization working against it or infecting it with a DiskOnKey or some other external device. The company is not totally unconnected."

The attacker's double challenge

Antivirus products that use sandbox services - cloud platforms enabling information security personnel to feed suspicious files to them and receive analyses - stood in the research center. "We showed how an attacker can create a virus for the purpose of having it exposed, and plant within it the sensitive information stolen from the organization," Kotler says. "The antivirus transfers the virus to the cloud for testing, and while it runs and analyzes the virus, the virus communicates the information to the attacker."

In a different scenario, the information security officer, not the antivirus, puts the suspicious code on the cloud. Azuri says, "The most likely possibility is that the information security officer will use the by far most common service in area: VirusTotal. This is a website that is a synonym for sandbox; it presents an analysis from dozens of anti-viruses, plus its own analysis. The information checked is exactly what the attacker accesses in order to get what he or she needs."

Klein and Kotler showed ways in which the virus can communicate with the attacker through a server prepared in advance or common protocols, but these methods make it possible to expose the hacker. Azuri discovered another method that makes detection difficult. "The attacker enters the sandbox as one of tens of thousands of users, questions the system, and obtains the information from the file he implanted."

The attacker's challenge at this stage is two-faceted. On the one hand, the attacker must discover when the malware file he implanted on the unconnected computer reaches the cloud. "He or she needs some sign making it possible to retrieve the file like a needle in a haystack, from tens of millions of files circulating in the sandbox," Klein says. Such a sign can be a string like X2y3z41, which the attacker searches for until he or she gets the result indicating that the file has reached the website.

On the other hand, the hacker wants to be the only one capable of decoding the information collected on the file and operating as a "concealed traveler" within the public sandbox. "The attacker can use techniques such as encoding the information in which he or she is interested, coding it, or dividing it in very specific ways. The information is then exposed to everyone, but is displayed in a very technical manner. Every user can see it, but the user does not know what he or she is seeing."

"Globes": Is there is a way of knowing whether use has been made of a breach that you discover?

Kotler: "We tried to attract their attentions several times in various ways, but they didn't get back to us." As of web posting, Google had not responded to a "Globes" inquiry in the matter.

What can sandbox platforms do in order to deal with the problem?

Azuri: "The solution seems very simple: limit the search, or don't allow information sharing to start with. The paradox is that restricting these capabilities actually denies the service that the sandboxes provide."

Klein: "In the original study, we talked about a type of solution - the organization should pay attention to the file that it puts on VirusTotal. It's all right to put a file that came from the Internet, because it doesn't belong to the organization. If it doesn't come from the Internet, and was created or was changed on one of the organization's computers, there is a risk that sensitive information belonging to the organization was burned on it, and that shouldn't be put on VirusTotal. This is a solution on the organizational level, not something that sandboxes can provide."

A method very difficult to block

Gil Cohen, CTO of cyber consultation company Comsec, calls the discovery "technically exciting," although he qualifies that by saying that it will not change the market. "It's another tool in the hackers' toolbox, and could be a threat in the framework of the analysis of threats performed by highly classified and strongly protected organizations, which will try to find another solution for it. Perhaps they will analyze their protected files at home before sending them elsewhere. Sending information outside for forensic security analysis is currently a very common practice," he says.

Like SafeBreach, Comsec conducts deliberate attacks against its customers in order to analyze their security situation, and among other things, finds hidden channels for removing information from organizations with thick defense layers. "There are a number of channels posing as legitimate, for example for social networks or file sharing platforms, such as Google Drive. The recent discovery constitutes another concealed channel - one that will not be thought about, and which it will be very difficult to block, in contrast to social networks and other services."

Cohen mentions that an attack on networks that are completely unconnected and on critical infrastructure took place several times in the past, including last year. Examples of this are the electrical infrastructure attack in Ukraine, which caused shutdowns, and an attack on the metro in San Francisco, which resulted in passengers not paying for tickets for an entire week.

Published by Globes [online], Israel Business News - www.globes-online.com - on March 19, 2018

© Copyright of Globes Publisher Itonut (1983) Ltd. 2018

Itzik Kotler photo: SafeBreach
Itzik Kotler photo: SafeBreach
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018