One of Carbon Black's channel partners discovered a significant data leak in the security vendor's endpoint detection and response offering, exposing thousands of files and critical data on the security vendor's customers, but Carbon Black called the flaw a feature.
In a blog post Wednesday, Jim Broome, the chief executive of DirectDefense – which has multiple offices across the US – said the data leak problem centred around Carbon Black's Cb Response EDR offering and the third-party cloud-based multi-scanner service it uses to upload files to determine whether they are good or bad against multiple anti-virus engines.
However, the blog post said any files uploaded by Cb Response and then forwarded to the cloud-based multi-scanner were available for sale to "anyone that wants them and is willing to pay."
That involves the sale of the files submitted as samples of malware.
DirectDefense’s blog post called the situation the "world's largest pay-for-play data exfiltration botnet".
DirectDefense did not respond to a request for comment by press time. The Colorado-headquartered solution provider is also a top Cylance partner, advocating in many of its blog posts for the technology. Cylance is a direct competitor of Carbon Black.
Carbon Black, for its part, pointed to its own blog when asked for comment on DirectDefense’s allegation.
In the blog post, Carbon Black called the DirectDefense blog "incorrect" in saying that it has an architectural flaw that exfiltrates data. It said "this is an optional feature (turned off by default) to allow customers to share information with external sources for additional ability to detect threats".
While Carbon Black said it does allow customers to use cloud-based multi-scanners – something it calls "one of the most popular threat analysis services that enterprise customers opt into" – it said its services are not dependent on the engines.
The company also took issue with DirectDefense's decision to publish its report without first informing Carbon Black of its findings.
"We appreciate the work of the security research community. However, it is important to note that Carbon Black was not informed about this issue by DirectDefense prior to publication of the blog to validate their findings... It is also not a foundational architectural flaw. It is a feature, off by default, with many options to ensure privacy, and a detailed warning before enabling," the Carbon Black blog post said.
Carbon Black said customers and partners could reach out to the company's support personnel with any questions. It also said it will "happily use our strong relationship with VirusTotal to remove any sensitive data that was exposed via this feature".
DirectDefense’s blog post noted that not all files uploaded to the cloud-based multi-scanner service would be critical information, citing a Windows update as an example.
However, it said the company's security experts did find the cloud keys for Amazon Web Services, Microsoft Azure and Google Compute; keys for the Google Play Store and Apple App Store; internal usernames and passwords; network intelligence; communications infrastructure; single sign-on and two-factor authentication keys; proprietary internal applications; and customer data on several Fortune 1000 companies in its research.
"Our intention with releasing this information was not to attack customers or security vendors, and we don’t pretend that we’ve performed an exhaustive analysis of the breadth of the leaks. We only know that every time we looked, we found this same serious breach of confidentiality.
"We also do not know if this is the only key Carbon Black uses, nor if this problem is unique to Carbon Black, only that Carbon Black’s prevalence in the marketspace and the design of their solution’s architecture seems to be providing a significant amount in data exfiltration," the blog post said.
DirectDefense said it discovered the issue when it responded to a potential breach at a customer site in the middle of last year. The solution provider said it was analysing a malware sample using the multi-scanner engine's analyst interface and was able to see an unrelated customer's sensitive information when it queried for similar samples.
It said all the samples were uploaded using a similar uploader, the primary key of which belonged to Carbon Black for Cb Response.
The blog post said it is not clear if the problem is limited to Carbon Black.
The EDR market in general has seen a boom in recent years, with multiple new startups jumping into the space, although Carbon Black is still one of the largest players in that market.
"It is imminently likely that there are other EDR sources and products to exploit (perhaps even other keys being used by Carbon Black’s solutions and even other vendors). Over the last couple years, there have been over 50 EDR companies launched, and likely, some of them may follow the same inspection model as Carbon Black," the DirectDefense blog post said.