DirectDefense Releases New Threat Report Uncovering Carbon Black’s pay-for-play exfiltration botnet

DirectDefense Releases New Threat Report Uncovering the Carbon Black Pay-for-Play Exfiltration Botnet

Englewood, Colo., August 9, 2017 – DirectDefense, Inc., an information security services company that provides penetration testing, compliance management, and 24/7 managed services, today released its Carbon Black threat report. The report identifies a significant security risk in the architecture leveraged by Carbon Black’s popular Cb Response product  that puts sensitive customer data at risk. The research and recommendations included in the threat report will help security organizations understand how vulnerability assessment experts discovered incidents of harvested data belonging to customers of Carbon Black’s Cb Response, and how it is nearly impossible to stop this with the architecture Carbon Black has built for its Endpoint Detection and Response (EDR) platform.

Titled “Harvesting Cb Response Data for Fun and Profit,” the DirectDefense threat report stems from a discovery its security analytics team made while performing breach detection, incident response and forensics services for a customer. The discovered  exposure lets the analysts exploit the trust model leveraged between third-party vendors utilized by  Carbon Black’s Cb Response EDR platform, which sends end user files to a third-party antivirus multiscanner solution to determine if the files are safe for use in the enterprise network. DirectDefense then replicated this discovery process for three other customer organizations and found the same flaw. Because of Cb Response’s dependence on third-party multiscanners, DirectDefense researchers were able access files that have been uploaded to the third-party multiscanner to find leaked data for large financial services, social media and streaming media organizations. This access was obtained through the paid-for services of the third-party multiscanner vendor, and illustrates the the risks that are inherent with third-party integration partners.

Examples of the types of leaked data include:

  • Cloud keys (AWS, Azure, Google Compute) – which could allow hackers to easily access all cloud resources
  • App store keys (Google Play Store, Apple App Store) – allowing for rogue applications that could be updated in place of legitimate apps
  • Internal usernames, passwords, and network intelligence
  • Communications infrastructure data (Slack, HipChat, SharePoint, Box, Dropbox, etc.)
  • Single sign-on/two factor keys
  • Customer data
  • Proprietary internal applications (custom algorithms, trade secrets)

Any of this sensitive data in the wrong hands can cost organizations thousands of dollars in fraudulent billing and down time, as well as potential noncompliance fines and lost customer trust.

“Essentially, our security team has uncovered the world’s largest pay-for-play data exfiltration botnet, and it’s being orchestrated through a solution that’s meant to protect the exact data that is being leaked,” said Jim Broome, president of DirectDefense. “Organizations need to be aware of the risks involved with Cb Response and other similarly architected EDR solutions that rely on third-party AV multiscanners. Our new report will give security teams actionable advice on how to reduce these risks.”

About DirectDefense
DirectDefense, named one of America’s fastest growing small private companies in 2016 by Inc. Magazine, is an information security services and 24/7 managed services provider headquartered in Englewood, CO, with locations across the United States. Founded in 2011 on more than 50 years combined experience in information security, DirectDefense works in close and honest partnership with clients to design a personalized information security solution that works, based on an organization’s specific needs. To learn more, visit