An anti-malware detection service provider and premium security firm has been accused of leaking terabytes of confidential data from several Fortune 1000 companies, including customer credentials, financial records, network intelligence and other sensitive data.
However, in response to the accusations, the security firm confirmed that they are not pulling sensitive files from its customers; instead, it’s up to companies—who are accidentally (but explicitly) sharing their sensitive data to leverage an optional cloud-based anti-malware service.
On Wednesday, Information security firm DirectDefense published a blog post, claiming that they found a major issue with endpoint detection and response (EDR) solution offered by US-based company Carbon Black, alleging that the company is leaking hundreds of thousands of sensitive files from its customers.
Carbon Black is a leading incident response and threat hunting company that offers security products to nearly thirty of the largest 100 public and privately held companies in the US, including Silicon Valley leaders in internet search, social media, government, and finance.
DirectDefense Claims ‘Carbon Black’ Leaking Data
According to DirectDefense, the company’s CB Response is responsible for leaking a massive amount of its customers’ data—from cloud keys and app store keys to credentials and other sensitive trade secrets—due to its dependence on third-party multi-scanner services.
Carbon Black specialises in next-generation antivirus plus endpoint detection and response (EDR) solutions in one cloud-delivered platform that stops malware and other cyber attacks.
The product works by identifying “good” and “bad” files and then creating their whitelist to prevent its clients from running harmful files on their systems. So, the tool continuously evaluates an enormous and ever-expanding pool of files for a potential infection.
DirectDefence claims whenever the tool encounters a new file on its clients’ computer that it has never seen before, it first uploads the file to Carbon Black servers, and then company forwards a copy of that file to VirusTotal multiscanner service (owned by Google) that contains dozens of antivirus engines to check if the file is good or bad.
But according to DirectDefense President Jim Broome:
“Cloud-based multi-scanner service [VirusTotal] operate as for-profit businesses. They survive by charging for access to advanced tools sold to malware analysts, governments, corporate security teams, security companies, and basically whomever is willing to pay.”
So, anyone who is willing to pay would get access to the multiscanner and eventually access to the files submitted to its database.
Broome called the scheme as “the world’s largest pay-for-play data exfiltration botnet.”
Broome says he discovered this issue in mid-2016 when his company was working on a potential breach on its client’s computer.
Source: The Hacker News