Carbon Black

Sensitive corporate data from customers protected by Carbon Black endpoint detection and response (EDR) solutions has been found on multiscanner services, according to an investigation by DirectDefense, a provider of managed security strategies.

The shocking data leak has been tied to an API key which DirectDefense claims it belongs to Carbon Black Cb Response, a next-gen anti-malware EDR product.

Problem is in how EDR products operate, in general

EDR solutions work by managing lists of whitelisted files and applications. When EDR products find a new file not included in its database, they upload it to their cloud service, which it would then upload it to a multiscanner service (think VirusTotal).

The EDR cloud would use the aggregated scan result from this multiscanner service to decide if to whitelist or blacklist the file. The problem is that even if the EDR and multiscanner rename the files using hashes, copies of those files are still saved on the multiscanner service.

Most of these multiscanners work on a pay-for-access model, allowing anyone to access threat intelligence data on past scanned files, and even download copies for further analysis. This is exactly how DirectDefense found the Carbon Black leak.

Data leak found in mid-2016

"In mid-2016, some of our staff were responding to a potential breach at a customer’s site," said Jim Broome, President at DirectDefense. "As part of our process, we were analyzing a potential piece of malware using the analyst interface of a large cloud-based multiscanner."

"One of the useful features of this multiscanner is that they allow searching for similar malware to get some context, and in doing so, we stumbled across a couple of files that were very different," Broome adds. "These seemed to be internal applications from a very large (and completely unrelated to our original customer) telecommunications equipment vendor."

DirectDefense continued to go down the rabbit hole, and they eventually tracked down a large swath of files from the same uploader.

"This [multiscanner] service obscures the uploader behind an API key, in this case: 32d05c66," Broome said. "By doing some research, we determined that this is the primary key for uploading files by Carbon Black for Cb Response," which is Carbon Black's flagship EDR product.

DirectDefense: Fortune 1000 companies leaking terabytes of data

DirectDefense says they searched for similar files uploaded by this API key and "found hundreds of thousands of files comprising terabytes of data."

They also downloaded 100 files for further analysis. In a report published late last night, DirectDefense claims they discovered a treasure trove of sensitive data, much of it from Fortune 1000 companies. For example, here are some of DirectDefense's findings:

Large Streaming Media Company:

  •     Amazon Web Services (AWS) Identity and Access Management (IAM) Credentials for the Company
  •     Slack API Keys for the Company
  •     The Company’s Crowd (Atlassian Single Sign On) Admin Credentials
  •     Google Play keys
  •     Apple Store ID

Social Media Company:

  •     Hardcoded AWS and Azure keys
  •     Other internal proprietary information, such as usernames and passwords.

Financial Services Company:

  •     Shared AWS keys that granted access to customer financial data
  •     Trade secrets that included financial models and possibly direct consumer data.

Some of the leaked data found by DirectDefense

"This [latter] leak led us to decide to make this public," Broome said when they found customer data inside files uploaded on the multiscanner.

Broome says DirectDefense did not create a tool to search these sensitive files purposely and wanted to go public with their findings so companies and EDR providers could take precautionary measures to prevent such leaks in the future.

Other EDR providers possibly affected

The DirectDefense president also suspects that other EDR providers are also leaking customer files in the same way, and this is not an issue specific to Carbon Black alone.

Carbon Black did not respond to a request for comment from Bleeping Computer in time for this article's publication.

Update, August 9, 2017, 11:15 AM ET: Carbon Black has replied to the DirectDefense investigation via a blog post. Carbon Black CTO Michael Viscuso says the multiscanner (VirusTotal) feature described by DirectDefense is not on by default, and when users enable this feature, they are warned about sharing data with a third-party.

On Reddit, a Carbon Black founding team member said many customers asked for the VirusTotal scanner integration. In addition, he blamed DirectDefense for "grossly irresponsible disclosure, both to us and the three companies used as examples. We, and [the clients], heard about it the same time you did," he added.

Update, August 9, 2017, 2:30 PM ET: DirectDefense said it stands by its research in a counter-reply blog post, albeit they admitted to seeing "this feature setting in the product and in the manual that stated this is off by default," a very important detail they forgot to mention in their original research, misleading their readers.

Image credits: Carbon Black, DirectDefense