An extremely critical report has published about the massive vulnerability in the best product of a leading American security company and best seller of anti-malware detection services. According to the report by information security firm DirectDefense, i
An extremely critical report has published about the massive vulnerability in the best product of a leading American security company and best seller of anti-malware detection services. According to the report by information security firm DirectDefense, it is an unimaginable data leakage, which includes a vast range of confidential data, including customer credentials and financial records, among other sensitive files.In a blog posted, DirectDefense published the discovery of an inherent defect in anti-malware product of Carbon Black, a US-based company. Carbon Black supplies security products to nearly a third of the largest 100 public and confidentially held organizations in the United States.According to the report, Carbon Black's product, Cb Response, is accountable for leaking an enormous amount of data including cloud keys, app store keys, usernames, passwords and proprietary applications, including custom algorithms and other sensitive trade secrets. Even though leaked data is not available online, DirectDefense believes it is accessible to governments, corporations and security teams willing to pay the premium for access to pricey anti-malware tools.
DirectDefense President Jim Broome termed this scheme as "the world's largest pay-for-play data exfiltration botnet."Carbon Black catalogs files that are "good" versus those that are "bad" to restrict clients from running malicious files in the systems. Carbon Black relies on whitelisting policies to defend threats, and it is a huge endeavor. It requires the company to constantly evaluate an enormous and ever-expanding pool of files — any file antivirus scanner checks for a potential infection.According to Jim Broome, "the problem arises when Carbon Black finds files on its clients' computer that it has never examined before. Since Carbon Black does not know if this previously unseen file is good or bad, it exports the file to a secondary cloud-based multi scanner for scoring. " This makes all new files are uploaded to Carbon Black at least once.Obviously, Cloud-based multi scanners operate as for-profit businesses," Broome continues. "They survive by charging for access to advanced tools sold to malware analysts, governments, corporate security teams, security companies, and whoever is willing to pay."
In other words, gaining access to the multi scanner means also gaining access to the files submitted to its database.Files were uploaded by Carbon Black, as recognized by its unique API key. By searching for similar uploads from this key, DirectDefense found hundreds of thousands of files comprising terabytes of data. In the report, DirectDefense says it identified three companies to whom the files belonged. Broome concluded that DirectDefense was unsure if the problem was unique to Carbon Black that only Carbon Black's prevalence in the market space and the design of their solution's architecture seems to be giving a significant amount in data exfiltration.Carbon Black has responded to direct defense's allegations, as Carbon Black CTO and co-founder Michael Viscuso claims that data discovered by the researchers were available to them because clients having turned on and off-by-default function that enables them to share files with cloud-based multi-scanners for threat analysis purposes.Blog Post by Carbon Black CTOThis is an optional feature (turned off by default) to allow customers to share information with external sources for additional ability to detect threats.
Cloud-based, multi-scanners are one of the most popular threat analysis services that enterprise customers opt into. These multi-scanners allow security professionals to scan unknown or suspicious binaries with multiple AV products.Cb Response has a feature that allows customers to send their unknown or suspicious binaries to these cloud-based multi-scanners (specifically VirusTotal) automatically. We allow customers to opt into these services and inform them of the privacy risks associated with sharing. Our products are not dependent on these services.After explaining the feature in detail, he went on to reiterate, "It is also not a foundational architectural flaw."