Short Bytes: The data belonging to various top companies using Carbon Black’s Cb Response tool might be at risk, according to DirectDefense. The security firm was able to discover the data like cloud keys, usernames, customers data, etc. while it was being sent to third-party anti-virus multiscanner. Carbon Black later said that data is only transferred when the users enable an optional feature.
In a shocking blog post made on Wednesday, a US-based security firm DirectDefense accused Carbon Black of leaking terabytes of sensitive data (not intentionally) belonging to top companies, some of them having their names on the Fortune 1000 list.
The test cases described in the post include a last streaming media company, social media company, financial services company, etc.
Carbon Black provides their EDR (Endpoint Detection and Response) tool in the name of Cb Response. According to Direct Defense, user files and other fishy files are transferred to third-party anti-virus scanning tools to make sure they are safe for the use on the network of the concerned company.
Pointing towards an architectural flaw in Cb Response, DirectDefense claimed that it’s possible to gain access to the data. They were able to replicate the discovery process for a few organizations using the product.
Here are the types of data included in the leak:
- Cloud keys (AWS, Azure, Google Compute) – which could allow hackers to easily access all cloud resources.
- App store keys (Google Play Store, Apple App Store) – allowing for rogue applications that could be updated in place of legitimate apps.
- Internal usernames, passwords, and network intelligence
Communications infrastructure data (Slack, HipChat, SharePoint, Box, Dropbox, etc.). - Single sign-on/two-factor keys.
- Customer data.
- Proprietary internal applications (custom algorithms, trade secrets).
DirectDefense’ president Jim Broome said in a statement that their “security team has uncovered the world’s largest pay-for-play data exfiltration botnet, and it’s being orchestrated through a solution that’s meant to protect the exact data that is being leaked.
Broome further added that organizations that are leveraging Cb Response and similar EDR solutions, which depend on third-party anti-virus multi scanners, need to be aware of the threats associated with such products.
Carbon Black’s co-founder and CTO Michael Viscuso said that the conclusions made regarding the architectural flaw are not correct and the ability to share files with third-party scanners is an optional feature (turned off by default). The clients for whom DirectDefense was able to gain access to the data might have enabled the feature to share files.
“In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis. This option can be enabled by a customer, on a per-sensor group basis. When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.”
You can read DirectDefense’ blog post here and Carbon Black’s response here. If you have got something to add? Drop your thoughts and feedback.
