Breach in VirusTotal Allowed Access to Internal Google Hosts

Cybersecurity researchers have identified a vulnerability in the VirusTotal platform that can be used to execute malicious code and gain access to internal systems remotely. Currently, the breach has already received its patch.

According to Cysource specialists, with the help of the discovered bug, conditional cybercriminals could “remotely execute commands on VirusTotal and gain access to certain platform features for scanning suspicious files.”

The attack vector implies that an attacker must download a DjVu file through the VirusTotal web user interface, after which a vulnerability was exploited in the open-source ExifTool utility.

IMPORTANT REMINDER: STOP/Djvu Ransomware uses the AES-256 encryption algorithm. This ransomware family is one of the most popular infections!

Breach in VirusTotal

This vulnerability is tracked as CVE-2021-22204 and has a CVSS score of 7.8. Interestingly, the developers closed this vulnerability on April 13, 2021. Nevertheless, the consequences of exploiting the bug led to access to Google systems (owned by VirusTotal) and opened the way to more than 50 hosts (and access was opened with high rights).

Vulnerability is tracked as CVE-2021-22204

Fun fact: every time we uploaded a file with a new hash and payload, VirusTotal sent that payload to other hosts. Thus, we had in our hands not only the possibility of remote code execution but the load itself was sent to the internal network of Google, its customers, and partnersexplain the researchers

Leave a Comment