Security solution provider DirectDefense said it has discovered a significant data leak in Carbon Black’s endpoint detection and response offering that is exposing thousands of files and critical data on the security vendor's customers. But what DirectDefense calls a flaw, Carbon Black calls a feature.
In a blog post Wednesday, DirectDefense CEO Jim Broome said the data leak problem centers around Carbon Black's Cb Response EDR offering and the third-party cloud-based multi-scanner service it uses to upload files to determine whether they are good or bad against multiple anti-virus engines.
However, the blog post said any files uploaded by Cb Response and then forwarded to the cloud-based multi-scanner were available for sale to "anyone that wants them and is willing to pay." That involves the sale of the files submitted as samples of malware.
DirectDefense’s blog post called the situation the "world's largest pay-for-play data exfiltration botnet."
DirectDefense did not respond to a request for comment by press time. The Englewood, Colo.-based solution provider also is a top Cylance partner, advocating in many of its blog posts for the technology. Cylance is a direct competitor of Carbon Black.
Carbon Black, for its part, pointed to its own blog when asked for comment on DirectDefense’s allegation. In the blog post, Carbon Black called the DirectDefense blog "incorrect" in saying that it has an architectural flaw that exfiltrates data. It said "this is an optional feature (turned off by default) to allow customers to share information with external sources for additional ability to detect threats."
While Carbon Black said it does allow customers to use cloud-based multi-scanners -- something it calls "one of the most popular threat analysis services that enterprise customers opt into" -- it said its services are not dependent on the engines.
The company also took issue with DirectDefense's decision to publish its report without first informing Carbon Black of its findings.
"We appreciate the work of the security research community. However, it is important to note that Carbon Black was not informed about this issue by DirectDefense prior to publication of the blog to validate their findings. … It is also not a foundational architectural flaw. It is a feature, off by default, with many options to ensure privacy, and a detailed warning before enabling," the Carbon Black blog post said.
Justin Kallhoff, CEO of Infogressive, a Lincoln, Neb.-based MSSP and security specialist, said the cloud provides benefits and drawbacks to companies. He said companies should carefully consider the implications of uploading data to the cloud, as even companies with extensive security around the cloud like Microsoft and Amazon are now "huge targets" for attackers.
"Cloud-based anything has pros and cons. One of the downsides is trusting other companies with your data, which should never be forgotten. Cloud is now ubiquitous and companies' data is everywhere," Kallhoff said.
Carbon Black, Cambridge, Mass., said customers and partners can reach out to the company's support personnel with any questions. It also said it will "happily use our strong relationship with VirusTotal to remove any sensitive data that was exposed via this feature."
DirectDefense’s blog post noted that not all files uploaded to the cloud-based multi-scanner service would be critical information, citing a Windows update as an example. However, it said the company's security experts did find the cloud keys for Amazon Web Services, Microsoft Azure and Google Compute; keys for the Google Play Store and Apple App Store; internal usernames and passwords; network intelligence; communications infrastructure; single sign-on and two-factor authentication keys; proprietary internal applications; and customer data on several Fortune 1000 companies in its research.
"Our intention with releasing this information was not to attack customers or security vendors, and we don’t pretend that we’ve performed an exhaustive analysis of the breadth of the leaks. We only know that every time we looked, we found this same serious breach of confidentiality. We also do not know if this is the only key Carbon Black uses, nor if this problem is unique to Carbon Black, only that Carbon Black’s prevalence in the marketspace and the design of their solution’s architecture seems to be providing a significant amount in data exfiltration," the blog post said.
DirectDefense said it discovered the issue when it responded to a potential breach at a customer site in the middle of last year. The solution provider, No. 14 on the 2017 Fast Growth 150 with 186 percent year-over-year revenue growth, said it was analyzing a malware sample using the multi-scanner engine's analyst interface and was able to see an unrelated customer's sensitive information when it queried for similar samples. It said all the samples were uploaded using a similar uploader, the primary key of which belonged to Carbon Black for Cb Response.
The blog post said it is not clear if the problem is limited to Carbon Black.
The EDR market in general has seen a boom in recent years, with multiple new startups jumping into the space, although Carbon Black is still one of the largest players in that market.
"It is imminently likely that there are other EDR sources and products to exploit (perhaps even other keys being used by Carbon Black’s solutions and even other vendors). Over the last couple years, there have been over 50 EDR companies launched, and likely, some of them may follow the same inspection model as Carbon Black," the DirectDefense blog post said.