Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching by IBM researchers and is becoming a growing new threat to businesses vulnerable to attacks. According to IBM’s X-Force researchers, the new tactic it is a variation on ransomware. In the case of bug poaching, hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. More conventional ransomware attacks, also growing in number, simply encrypt data and demand payment for a decryption key.
Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability, said John Kuhn, senior threat researcher for IBM Managed Security Services. “These attackers are trying to play a moral high ground when it comes to exposing bugs,” Kuhn said to Threatpost in an interview. “But make no mistake, this is straight up extortion,” he said. IBM says it’s aware of 30 unsolicited bug poaching incidents within the past 12 months. According to Kuhn, similar incidents of extortion were unheard of before that. He predicts that this type of extortion will become more commonplace and companies need to protect themselves from these type of attacks.
IBM says a typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen. During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: “Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun.” Kuhn said that payment of the ransom is no guarantee the hackers will destroy the stolen data. “These attackers are equal opportunity hackers looking for any business that may have a simple vulnerability to exploit such as a SQL injection attack against a website flaw,” Kuhn said. Other attacks have included the use of off-the-shelf penetration testing tools to find flaws. “So far, none of the cases investigated use significant zero-day vulnerabilities, but rather tactics that could easily be prevented,” wrote Kuhn in a blog post describing bug poaching. Kuhn anticipates that these attacks will become more sophisticated as any success will inspire bigger paydays against larger companies. “While on the surface these attackers may seem to be less threatening than others, they still pose a threat to an organization’s data and security posture,” Kuhn wrote.