Harvesting Cb Response Gegevens Leaks for joy and profit, DirectDefense
Harvesting Cb Response Gegevens Leaks for joy and profit
Doorslag Black’s Cb Response product is one of the more popular endpoint detection and response (EDR) instruments available te an ever-growing marketspace. However, spil a function of how the implement is architected, it is also a prolific gegevens leaker.
This threat report blog will help security organizations understand how our vulnerability assessment experts harvested gegevens from Doorslag Black’s Cb Response customers and how it is almost unlikely to zekering this with the architecture they devised.
How severe is the problem? Our experts could recover the following types of information from several Fortune 1000 companies:
- Cloud keys (AWS, Azure, Google Compute) – which could provide you with access to all cloud resources
- App store keys (Google Play Store, Apple App Store) – letting you upload rogue applications that will be updated te place
- Internal usernames, passwords, and network intelligence
- Communications infrastructure (Slack, HipChat, SharePoint, Opbergruimte, Dropbox, etc.)
- Single sign-on/two factor keys
- Customer gegevens
- Proprietary internal applications (custom-built algorithms, trade secrets)
The leaked gegevens exist primarily around various executable formats (wij haven’t seen evidence of this te documents or pdfs yet). However, if treated incorrectly, even executables can lightly contain serious gegevens leakage of information that can be hazardous to a company’s security stance.
Doorslag Black Background:
To overeenkomst with the onslaught of fresh files (updates, fresh versions, freshly purchased or developed applications, etc.), Doorslag Black created a cloud lookup service that would tell you if a verkeersopstopping wasgoed good or bad, to assist te making the right decisions. The problem wasgoed, without a large sample set to determine what wasgoed good or bad already available to their users, Doorslag Black deferred the decision to a cloud-based multiscanner service. Ultimately Doorslag Black would have a bunch of antivirus (AV) solutions determine which files were bad, and eliminate the offending opstopping from the set of things customers could whitelist. This worked well for their customers, but it brought a fresh wrinkle into the equation. What about the good files that haven’t bot seen on the cloud-based multiscanner? The response wasgoed visible. The files voorwaarde be uploaded, have all the AV engines scan them, and then use those scores. So, Doorslag Black began uploading files from their customers to their cloud, and from their cloud to the multiscanner solution.
Overheen time, Bit9 acquired a company called Doorslag Black (which became the name of the fresh snaak entity). Doorslag Black (now called Cb Response) wasgoed an early player te EDR, or endpoint detect and response. Spil a function, EDR solutions record all the activities happening on endpoints and aggregates this information to a central location. The capability to dig deep onto an endpoint and understand what had indeed happened after a security incident is an excellent forensics instrument, and enterprise customers quickly adopted the Doorslag Black/Bit9 solution. However, Cb Defense customers soon faced a significant challenge. The EDR treatment generated too much gegevens (noise) for most organizations to staff accordingly and the volume of information took a significant amount of time to proactively make relevant decisions (signal). Te response, Doorslag Black embarked leveraging cloud-based multiscanner lookups to accelerate the time needed for reviewing files. Just spil before, Cb Defense takes suspect or fresh files from the local system, forwards thesis files to a local server or cloud server, which ter turn sends the files onto another cloud-based multiscanner.
After Bit9, Doorslag Black’s next acquisition wasgoed a company called Confer (now called Cb Defense), which is a solution providing “next-generation AV”. Cb Defense is powered with a fresh engine, however, it emerges to also be using a cloud-based multiscanner for part of its processing and analysis.
The real cost of transitive trust:
Trust is a funny thing. If I trust you and tell you a secret, I may believe you won’t tell anyone else. But if you do, I’m implicitly trusting anyone else you tell that secret to. The same goes with gegevens. For example, when I send you sensitive information, and you send that sensitive information to another entity, spil the proprietor of that sensitive information I am assuming the risk of all of it—not you. This is called transitive trust. So, what happens if a multiscanner, te this case, Cb Response, passes files out? They leak.
Cloud-based multiscanners operate spil for-profit businesses. They get through by charging for access to advanced contraptions sold to malware analysts, governments, corporate security teams, security companies, and basically whomever is willing to pay. Access to thesis instruments includes access to the files submitted to the multiscanner corpus (it’s hard to analyze malware that you don’t have). This means that files uploaded by Cb Response customers very first go to Doorslag Black (or their local Doorslag Black server example), but then are instantaneously forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay.
Welcome to the world’s largest pay-for-play gegevens exfiltration botnet.
How big is it, exactly? According to Doorslag Black’s own webstek, “The company expects that by the end of 2015 it will achieve 7 million+ software licenses sold, almost Two,000 customers worldwide.”
When you think about Two,000 customers and 7 million endpoints (by end of 2015, presumably larger now) uploading every fresh opstopping to a trusted fucking partner that gives thesis files to anyone who pays, it starts to come into concentrate. Additionally, Gartner has called EDR a “1% solution”, meaning that thesis endpoints likely crosscut the most sensitive, serious companies who would be most adversely affected by a leak of sensitive information, such spil financial services and banking companies.
How could this toebijten? Spil previously stated, when a fresh verkeersopstopping emerges on a protected endpoint, a cryptographic hash is calculated. This hash is then used to look the opstopping up te Doorslag Black’s cloud. If Doorslag Black has a score for this opstopping, it gives the existing score, but if no entry exists, it requests an upload of the opstopping. Since Doorslag Black doesn’t know if this previously unseen verkeersopstopping is good or bad, it then sends the opstopping to a secondary cloud-based multiscanner for scoring. This means that all fresh files are uploaded to Doorslag Black at least once.
Generally speaking, this isn’t such a big overeenkomst. Take a Windows update for example. The very first customer of Doorslag Black that gets a Windows update and then uploads it doesn’t leak much information. However, let’s extrapolate thesis along real-world lines. Not every verkeersopstopping is a Windows update, and many of them contain sensitive details and switch frequently. This degree of switch is what spurred Doorslag Black te its Bit9 form to create this system te the very first place.
Imagine you have this solution deployed on a developer workstation. Each time a fresh lump of code is compiled, that fresh complied code is a opstopping that nobody has everzwijn seen. It gets uploaded. Now imagine a build or deployment system that packages up a bunch of executables (and configuration files). You could lightly imagine the types of combined gegevens that could constitute a “new file”.
Discovering the Vulnerability
Wij noticed that the other files were all uploaded by a similar uploader. This service obscures the uploader behind an API key, te this case: 32d05c66.
By doing some research, wij determined that this is the primary key for uploading files by Doorslag Black for Cb Response. By searching for similar uploads from this key, wij found hundreds of thousands of files comprising terabytes of gegevens. Wij commenced downloading some of thesis and digging a little deeper.
Wij downloaded about 100 files (wij found JAR files and script files to be the easiest to analyze by script), and ran thesis files through some ordinary pattern matching. When wij got hits, we’d attempt to extrapolate where they came from. Wij were not attempting to be exhaustive ter analysis, and only repeated this operation a few times to see if it still held true.
Here are a few actual use cases, kept anonymous to respect our customers’ privacy.
Case 1 – Large Streaming Media Company:
- Amazon Web Services (AWS) Identity and Access Management (IAM) Credentials for the Company
- Slack API Keys for the Company
- The Company’s Crowd (Atlassian Single Sign On) Admin Credentials
- Google Play keys
- Apple Store ID
Figure 1 – Example of Slack API information found ter content uploaded from Cb Response
Figure Two – Example of google oath settings ter content uploaded from Cb Response
Case Two – Social Media Company
- Hardcoded AWS and Azure keys
- Other internal proprietary information, such spil usernames and passwords.
Case Three – Financial Services Company
- Collective AWS keys that granted access to customer financial gegevens
- Trade secrets that included financial models and possibly onmiddellijk consumer gegevens.
Figure Trio – Example of AWS and database information found ter java code uploaded by Cb Response
Figure Four – Example of AWS secret key located te java code uploaded by Cb Response
This leak led us to determine to make this public.
Wij have not attempted to create an exhaustive search for leaks. This is almost certainly a broader scope problem than wij have time to explore. Additionally, it is imminently likely that there are other EDR sources and products to exploit (perhaps even other keys being used by Doorslag Black’s solutions and even other vendors). Overheen the last duo years, there have bot overheen 50 EDR companies launched, and likely, some of them may go after the same inspection prototype spil Doorslag Black.
The problems wij noted seemed to exist more prevalently around developer and build/deploy systems, but this could lightly be a bias ter our search treatment. This isn’t universal, but for the types of problems wij were analyzing, it seems likely that thesis systems had the Cb Response agents deployed on them, and due to the architecture of a solution that is sending gegevens up to a third-party, cloud-based multiscanner.
Ter all cases, the customers were notified and the leaks presumably stopped or slowed (wij checked shortly after notification, but didn’t do any follow-up). Our intention with releasing this information wasgoed not to attack customers or security vendors, and wij don’t pretend that we’ve performed an exhaustive analysis of the breadth of the leaks. Wij only know that every time wij looked, wij found this same serious breach of confidentiality. Wij also do not know if this is the only key Doorslag Black uses, strafgevangenis if this problem is unique to Doorslag Black, only that Doorslag Black’s prevalence ter the marketspace and the vormgeving of their solution’s architecture seems to be providing a significant amount ter gegevens exfiltration.
Recommendations: Protecting Your Sensitive Gegevens
- If you have Doorslag Black’s Cb Response or another similar product, understand what gegevens is being collected and how it is being treated – especially if it leaves your premises.
- Be aware of the types of gegevens that exist on your systems that have agents from EDR solutions deployed on them.
- If you are enormously worried about your sensitive gegevens leaking to a third party, and you have the option of disabling cloud uploads, do so (albeit be aware that this will likely negatively affect your security spil you won’t be able to score unknown files).
- Find someone with analyst access to the various cloud-based multiscanners to search for gegevens that may pertain to your company.