However, in response to the accusations, the security firm confirmed that they are not pulling sensitive files from its customers; instead, it’s up to companies—who are accidentally (but explicitly) sharing their sensitive data to leverage an optional cloud-based anti-malware service.
On Wednesday, Information security firm DirectDefense published a blog post, claiming that they found a major issue with endpoint detection and response (EDR) solution offered by US-based company Carbon Black, alleging that the company is leaking hundreds of thousands of sensitive files from its customers.
Carbon Black is a leading incident response and threat hunting company that offers security products to nearly thirty of the largest 100 public and privately held companies in the US, including Silicon Valley leaders in internet search, social media, government, and finance.
DirectDefense Claims ‘Carbon Black’ Leaking Data
According to DirectDefense, the company’s CB Response is responsible for leaking a massive amount of its customers’ data—from cloud keys and app store keys to credentials and other sensitive trade secrets—due to its dependence on third-party multi-scanner services.
The product works by identifying “good” and “bad” files and then creating their whitelist to prevent its clients from running harmful files on their systems. So, the tool continuously evaluates an enormous and ever-expanding pool of files for a potential infection.
DirectDefence claims whenever the tool encounters a new file on its clients’ computer that it has never seen before, it first uploads the file to Carbon Black servers, and then company forwards a copy of that file to VirusTotal multiscanner service (owned by Google) that contains dozens of antivirus engines to check if the file is good or bad.
But according to DirectDefense President Jim Broome:
“Cloud-based multi-scanner service [VirusTotal] operate as for-profit businesses. They survive by charging for access to advanced tools sold to malware analysts, governments, corporate security teams, security companies, and basically whomever is willing to pay.”
So, anyone who is willing to pay would get access to the multiscanner and eventually access to the files submitted to its database.
Broome called the scheme as “the world’s largest pay-for-play data exfiltration botnet.”
Broome says he discovered this issue in mid-2016 when his company was working on a potential breach on its client’s computer.
While using the VirusTotal cloud-based multi-scanner to search for a possible piece of malware which it suspected of infecting its client, his staff came across a batch of internal applications belonging to a “very large telecommunications equipment vendor.”
“We downloaded about 100 files (we found JAR files and script files to be the easiest to analyse by script), and ran these files through some simple pattern matching,” Broome writes.
“When we got hits, we’d try to extrapolate where they came from. We were not trying to be exhaustive in the analysis, and only repeated this operation a few times to see if it still held true.”
DirectDefense Found Sensitive Data Leaked From Top Companies
Broome says he identified three companies to whom the files his team downloaded belonged, though he doesn’t disclose the names of the affected companies.
Here is some information DirectDefense revealed about the three affected companies:
Large Streaming Media Company
The first company was a large streaming media firm, and files associated with this company contained, among other sensitive files:
- Amazon Web Services (AWS) Identity and Access Management (IAM) Credentials
- Slack API Keys
- The Company’s Crowd (Atlassian Single Sign On)
- Admin Credentials
- Google Play keys
- Apple Store ID
Social Media Company
The second company was a social media company, and files associated with this firm included:
- Hardcoded AWS and Azure keys
- Other internal proprietary information, like usernames and passwords
The third firm is a financial services provider, for which researchers discovered:
- Shared AWS keys that granted access to customer financial data
- Trade secrets that included financial models and possibly direct consumer data
“Our intention with releasing this information was not to attack customers or security vendors,” Broome writes, and we don’t pretend that we’ve performed an exhaustive analysis of the breadth of the leaks. We only know that every time we looked, we found this same serious breach of confidentiality.”
Carbon Black Explains the Origin of Data Leak
However, in response to DirectDefence allegations, Carbon Black Co-founder and CTO Michael Viscuso published a blog post today explaining that their CB Response tool doesn’t upload all files automatically to VirusTotal; instead, the feature comes disabled by default, leaving the choice to users to use its multiscanner service.
“Cb Response has a feature that allows customers to send their unknown or suspicious binaries to these cloud-based multi-scanners (specifically VirusTotal) automatically,” Viscuso writes.
“We allow customers to opt into these services and inform them of the privacy risks associated with sharing.”
“If the customer enables the second option (complete binaries with VirusTotal) Cb Response ensures that the customer understands the risks associated with uploading full binaries to a public multi-scanner service with an explicit warning”
This means, at first place, top-notch companies are accidentally (but explicitly) leaking their sensitive files on VirusTotal database.
Broome also suspects that this issue is not unique to Carbon Black, other EDR providers may also be leaking its customers’ data in the same way.