Carbon Black may be leaking terabytes of customer data (UPDATED)
Security firm Carbon Black awoke to a damning report Wednesday morning about a severe flaw in one of its top software products: Sensitive corporate data from some major companies -- clients of Carbon Black -- have been found on multi-scanner services.
The report from DirectDefense, a managed security strategies provider, ties the data leak to an API key that the company claims belongs to Carbon Black Cb Response, a next-generation anti-malware endpoint detection and response tool.
Cb Response is responsible for leaking “hundreds of thousands of files comprising terabytes of data,” according to the report.
Researchers sampled 100 files and identified leaks in several major companies, including: a large streaming media company, a social media company and a financial services business.
The leak contains a wide range of company data: cloud keys, single sign-on passwords, two-factors keys, customer data, proprietary internal applications like custom algorithms and trade secrets, app store keys, internal usernames, passwords and network intelligence and customer data.
DirectDefense left impacted company names out of the report to protect identities. However, the researchers did contact all customers found on the database.
“The leaked data exist primarily around various executable formats (we haven’t seen evidence of this in documents or pdfs yet),” the report authors wrote. “However, if handled incorrectly, even executables can easily contain serious data leakage of information that can be hazardous to a company’s security posture.”
Carbon Black provides security tools to a wide range of companies, almost 2,000 customers globally -- including those in the healthcare industry.
The issue stems from data collected about potential threats that are aggregated into a central location to be later analyzed by researchers. Carbon Black separates the good files from the bad files to prevent harmful files from running.
However, it relies on whitelisting to ward off threats -- forcing Carbon Black to continuously analyze a rapidly increasing pool of data. DirectDefense researchers said the issue is when the security firm encounters new files from clients and is unsure of whether a file is good or bad -- it sends the file to a secondary cloud-based multi-scanner to be scored.
Translation: All new files from clients are uploaded to Carbon Black at least once. The result of gaining access to the multiscanner would allow a hacker to also gain access to the files submitted to the database.
“Welcome to the world’s largest pay-for-play data exfiltration botnet,” the report authors wrote.
And to make matters worse, the report wasn’t able to definitively conclude whether this flaw is specific to Carbon Black. What the researchers do know is that “Carbon Black’s prevalence in the marketspace and the design of their solution’s architecture seems to be providing a significant amount in data exfiltration.”
Carbon Black customers should review the data being collected through the Cb Response product and evaluate the type of data that exists on the network. Those concerned about third-party access, like healthcare organizations, could also utilize disabling cloud uploads. But keep in mind that it will negatively impact security, as new files can’t be scored.
In a blog post, Carbon Black Co-founder and CTO Michael Viscuso said: “There’s an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis.”
“This option can be enabled by a customer, on a per-sensor group basis,” he continued. “When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google. We appreciate the work of the security research community.”
Carbon Black was not informed about the issue brought to light by DirectDefense before it was published. Specifically, Viscuso explained that DirectDefense “asserts that this an architectural flaw in all Cb products.”
But “this is exclusively a Cb Response feature — not included in Cb Protection or Cb Defense,” said Viscuso. “It’s also not a foundational architectural flaw. It’s a feature, off by default, with many options to ensure privacy and a detailed warning before enabling."
This post was updated to include comments from Carbon Black CTO Michael Viscuso.