A leading American security firm and purveyor of anti-malware detection services is waking up to a damning report about a massive vulnerability in its flagship product. The report describes an unimaginable leak, the scope of which covers a wide range of confidential data, including customer credentials and financial records, among other sensitive files.
In a blog posted late Tuesday night, DirectDefense, an information security company, announced the discovery of inherent flaw in a leading anti-malware product offered by Carbon Black, a US-based company that supplies security products to nearly a third of the the largest 100 public and privately held companies in the United States.
The report claims Carbon Black’s product, Cb Response, is responsible for leaking a tremendous amount of data, from cloud keys and app store keys to usernames and passwords and proprietary applications, including custom algorithms and other sensitive trade secrets. While the leaked data is not generally available online, DirectDefense believes it is accessible to governments, corporations and security teams willing to pay premium for access to pricey anti-malware tools.
Originally founded as a company called Bit9, Carbon Black specialises in what’s called endpoint detection and response, or EDR, a term for security tools that detect and investigate suspicious activities on a network’s endpoints—mobile devices, laptops, and desktop PCs. Data collected on potential threats is aggregated into a central location for further analysis to help grow and inform the platform’s threat intelligence capabilities.
Carbon Black identifies files that are “good” versus those that are “bad” to prevent clients from running harmful files on their systems. This means it relies on whitelisting policies to fend off threats, and it’s a massive endeavour. It requires the company to constantly evaluate an enormous and ever-expanding pool of files—anything that an anti-virus scanner checks for a potential infection.
The problem, according to the DirectDefense blog authored by President Jim Broome, is that Carbon Black encounters files on its clients’ computer that it has never seen before. “Since Carbon Black doesn’t know if this previously unseen file is good or bad, it then sends the file to a secondary cloud-based multiscanner for scoring,” explains Broome, referring to services that combine the power of dozens of anti-virus scanning products. “This means that all new files are uploaded to Carbon Black at least once.”
However, “cloud-based multiscanners operate as for-profit businesses,” Broome continues. “They survive by charging for access to advanced tools sold to malware analysts, governments, corporate security teams, security companies, and basically whomever is willing to pay.”
In other words, gaining access to the multiscanner means also gaining access to the files submitted to its database. And here’s where the trouble began.
Broome writes that while responding to a potential breach on a client’s computer last year his staff accessed the analyst interface of a large cloud-based multiscanner. While using the multiscanner to search for malware matching that which it suspected of infecting its client, the staff reportedly came across a batch of internal applications belonging to what it describes as a “very large telecommunications equipment vendor.” And then they got curious.
"Example of AWS and database information found in java code uploaded by Cb Response.” (DirectDefense)
According to DirectDefense, the files were uploaded by Carbon Black, as identified by its unique API key. “By searching for similar uploads from this key, we found hundreds of thousands of files comprising terabytes of data,” Broome writes. In its report, DirectDefense says it identified three companies to whom the files belonged. The names of the affected companies were withheld, DirectDefense said, out of respect for their customers’ privacy.
The first was a large streaming media company. The files associated with this company, Broome says, contained, among other sensitive files, Amazon Web Services (AWS) credentials, Slack API keys, Google Play keys, and an Apple Store ID.
The second was a social media company, and for it the researchers discovered hardcoded AWS keys and keys for Azure, Microsoft’s cloud computing platform, along with “other internal proprietary information, such as usernames and passwords.
Finally, the researchers discovered a shared AWS key granting access to customer financial data tied to a financial services company, in addition to “trade secrets that included financial models and possibly direct consumer data.”
“Our intention with releasing this information was not to attack customers or security vendors, and we don’t pretend that we’ve performed an exhaustive analysis of the breadth of the leaks,” Broome writes. “We only know that every time we looked, we found this same serious breach of confidentiality.”
Broome concluded that DirectDefense was unsure if the problem was unique to Carbon Black, “only that Carbon Black’s prevalence in the marketspace and the design of their solution’s architecture seems to be providing a significant amount in data exfiltration.”
Carbon Black has responded to DirectDefense’s allegations that it is leaking terabytes of private client data, including financial records and potential trade secrets, from major Fortune 100 companies.
In a blog post Carbon Black CTO and co-founder Michael Viscuso claims that data discovered by the researchers was available to them due to clients having turned on and off-by-default function that allows them to share files with cloud-based multi-scanners for threat analysis purposes.
Cloud-based, multi-scanners are one of the most popular threat analysis services that enterprise customers opt into. These multi-scanners allow security professionals to scan unknown or suspicious binaries with multiple AV products.
Cb Response has a feature that allows customers to send their unknown or suspicious binaries to these cloud-based multi-scanners (specifically VirusTotal) automatically. We allow customers to opt in to these services and inform them of the privacy risks associated with sharing. Our products are not dependent on these services.
After explaining the feature in detail he went on to reiterate, “It is also not a foundational architectural flaw.” [DirectDefense]