IBM warns of 'bug poachers' who exploit holes, steal info, demand big bucks
And what to do if you get hit
At least 30 companies have been hit in the past year by so-called "bug poaching," where hackers break into corporate servers, steal data, and then demand a fee for showing how it was done.
The technique, spotted by IBM's Managed Security Services researchers, involves miscreants breaking into a corp's servers, typically using a SQL injection attack against a website. In none of the cases IBM has investigated were zero-day vulnerabilities exploited – instead, crims just leveraged common or well-known programming blunders that weren't patched.
The intruders investigate the infiltrated servers for valuable information and stick it all in a cloud storage account. The victim then gets an email explaining that the data has been accessed, providing a link to the cloud storage site. The attackers then demand a reward of up to $30,000 for showing how they managed to pilfer the data.
"These criminals aren’t afraid of penetrating the organization’s network to steal data. They argue their methods prove the point that the organization’s system is vulnerable," said John Kuhn, senior threat researcher at IBM.
"By not immediately destroying or releasing the organization’s data, they are illustrating the ethics (like a white hat) that prevent them from being a complete black hat. Regardless of their rationale, this is data theft and extortion — be it with alleged good intentions or not."
Kuhn recommends not paying the bug poachers, since there's seldom a need to in order to ascertain how the attackers got in. Web server logs are an excellent source of information on this, he said, as well as running forensic scans on machines. You'll just have to hope that the information stays private; if people's personal data is leaked, you should declare that, anyway.
Of course, the most obvious tactic is to harden up your defenses before these scammers strike. Apply patches, run penetration testing, and hire security staff who know what they are doing. But that's been the security industry's advice for the past 30 years and that doesn’t seem to have sunk in yet. ®