Pentest firm calls Carbon Black "world’s largest pay-for-play data exfiltration botnet"

DirectDefense, Inc. says Carbon Black's Cb Response is compromising terabytes of customer data

Lee Davy (Creative Commons BY or BY-SA)

On Wednesday, DirectDefense, Inc. disclosed that they've discovered hundreds of thousands of files from Carbon Black customers.

The discovery is said to pose a significant risk to Carbon Black's clients, because of the company's dependence on third-party multiscanners in the Cb Response product.

In a blog post, Jim Broome, president of DirectDefense said that the problems with Carbon Black's Cb Response were first detected when his firm was working an incident for a customer.

He describes the issue as a problem with "trust model leveraged between third party vendors utilized by Carbon Black’s Cb Response EDR platform, which sends end user files to a third-party antivirus multiscanner solution to determine if the files are safe for use in the enterprise network."

As many in the security industry will recall, Carbon Black started out as application whitelisting company, Bit9. These days, under a new name, the company has grown to thousands of customers worldwide.

While they've shifted to endpoint detection and response (EDR) as a business model, they haven't left their roots behind, and that's where the problem is, Broome wrote.

When Cb Response doesn't know a file, it uploads it to a multiscanner for checking.

"Cloud-based multiscanners operate as for-profit businesses," Broome explains.

These scanners typically charge for access, offering their tools to malware analysts, governments, corporate security teams, security companies, etc. Essentially, if your organization is willing to pay, you can use the scanners.

"Access to these tools includes access to the files submitted to the multiscanner corpus (it’s hard to analyze malware that you don’t have). This means that files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay. Welcome to the world’s largest pay-for-play data exfiltration botnet," Broome wrote.

It didn't take long before the primary key used by Cb Response to upload to the scanner was discovered. Once Broome's team had that key, they were able to locate " hundreds of thousands of files comprising terabytes of data."

Broome says that his team discovered cloud keys (AWS, Azure, Google Compute); app store keys (Google Play Store, Apple App Store); internal usernames, passwords, and network intelligence; communications infrastructure (Slack, HipChat, SharePoint, Box, Dropbox, etc.); single sign-on/two factor authentication keys; customer data; and other proprietary data, including trade secrets.

Salted Hash has reached out to Carbon Black for comment, and we'll update should they respond.

The tone of the DirectDefense report makes it clear that the problem (as they see it) is with the use of third-party scanners by Carbon Black. While calling them a botnet is a bit of a stretch, the risk associated with multiscanners that are unknown to the customer is a real one.


An official statement from Carbon Black is expected later today. However, there has been some developments since this story went live. On Reddit, someone by the name of 'jjguy' - who says they're a founding team member at Carbon Black - responded to the DirectDefense report [archive link].

carbon black warning jjguy

The post calls it "grossly irresponsible disclosure", presumably because DirectDefense didn't speak with Carbon Black, or the three anonymous firms used as examples in the report, prior to publication.

The post also confirms that the multiscanner feature is disabled by default, and once enabled, the customer is warned about the risks. Based on the screenshot provided, the scanner in question is Virus Total.

"Many shops hand-jam scripts to do similar stuff, but it gets complex to keep up at scale. Since data at scale is what we do, it's a natural feature many folks ask us for. Enabling it is a risk/benefit tradeoff (sic) - the blog post clearly demonstrates the risk, but ignores the benefits," the Reddit post adds.

Update 2:

In a blog post, Michael Viscuso, the ‎Co-founder and CTO at Carbon Black, mirrored many of the points made by the previously mentioned Reddit post.

"So what did the DirectDefense researchers find? In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis. This option can be enabled by a customer, on a per-sensor group basis. When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google," he explains.

"We appreciate the work of the security research community. However, it is important to note that Carbon Black was not informed about this issue by DirectDefense prior to publication of the blog to validate their findings.  For example, the blog asserts that this an architectural flaw in all Cb products.  To the contrary, this is exclusively a Cb Response feature – not included in Cb Protection or Cb Defense.  It is also not a foundational architectural flaw.  It is a feature, off by default, with many options to ensure privacy, and a detailed warning before enabling."

New! Download the State of Cybercrime 2017 report