Posted on August 10, 2017 at 12:48 PM
DirectDefense, an information security firm, posted a blog post on Tuesday night, revealing the discovery of a flaw in an anti-malware product made by Carbon Black, which is a company based in the US that supplies security products to a major part of public and private companies in the US.
The blog post carried claims of Cabron Black’s product named Cb Response to be responsible for the leak of a significant amount of data, like cloud keys and app store keys, as well as usernames, passwords, and proprietary applications. Although the leaked data cannot be found online, the researchers believe that governments, corporations, and security teams can get a hold of it if they are will to spend a significant amount of money on it.
As Jim Broome, DirectDefense President says, this is the world’s largest pay-for-play data exfiltration botnet.
Carbon Black, previously known as Bit9, specializes in so-called endpoint detection and response, also known as EDR, which is a term used for security tools that find and examine suspicious activities on mobile phones, laptops, desktop PCs and similar devices. The data they collect is sent to a central location to be analyzed further so it would help grow and inform the platform’s threat intelligence capabilities.
What the company does in gist is identify good files from the bad, preventing their customers from running harmful files on their devices. It relies on whitelisting policies to push away the threats. This system requires for the company to non-stoppingly evaluate the ever-growing mass of files, basically everything that an antivirus scanner checks for a potential infection.
As DirectDefense says, the problem starts when Carbon Black finds files on their clients’ computers that it has never seen before. This triggers the Carbon Black to send the file to a secondary cloud-based multi scanner for scoring. These are the services that have the power of multiple antivirus scanning products combined. This means that all new files are uploaded to Carbon Black at least once.
But these multiscanners operate as for-profit businesses, they survive by charging for advanced tools they sell to malware analysts, governments, corporate security teams, security companies, or anyone willing to pay, Broome says.
Shortened, this means that once having access to the multi scanner, an individual also has access to the files that are in the database, which is where the problems start.
Broome spoke about his staff coming in contact with one of these multi scanners last year while responding to a potential breach. While using the multi scanner to search for malware, the staff stumbled across a batch of internal applications that belonged to a very large telecommunications equipment vendor. Obviously, this spiked their curiosity.
The files were uploaded by carbon Black, identified by the unique API key. As DirectDefense says, they identified three companies connected to the files, but are holding back from publishing the names for the sake of the customers’ privacy.
Between three companies in question, the files found included Amazon Web Services (AWS) credentials, Slack API keys, Google Play keys, hard coded AWS keys and keys for Azure, and a shared AWS key granting access to customer financial data tied to a financial services company.
As Broome wrote, the company’s intention with releasing this information wasn’t to attack customers or security vendors. They only know that whenever they looked, they stumbled upon the same serious breach of confidentiality.
Broome concluded that DirectDefense was unsure if the problem was unique to Carbon Black.
Carbon Black has responded to DirectDefense’s allegations that it is leaking terabytes of private client data.
In a blog post, Carbon Black CTO and co-founder Michael Viscuso claims that data discovered by the researchers were available to them due to clients having turned on and off-by-default function that allows them to share files with cloud-based multi-scanners for threat analysis purposes.
This is an optional feature (turned off by default) to allow customers to share information with external sources for additional ability to detect threats.