Bug poachers target businesses, demand money for bug info
Businesses are being hit with an extortion attempt based on attackers penetrating their network or websites and stealing corporate or user data. The attackers don’t say explicitly that the data will be published online, but are trying to get the victims to pay up to get information about the hole they used to breach the network.
According to IBM researcher John Kuhn, there are over 30 known victims (and more than likely other unknown ones).
The hackers usually find and exploit vulnerabilities on the target’s website, steal sensitive data, place it on a cloud storage service, and then send an email to the target organization.
The email does not contain an explicit threat, either that the data will be published or that they will break in again. The hackers simply offer proof that they have managed to compromise the data, and ask the organization to pay in order to receive details about how the compromise was executed.
So far, the attackers demanded $30,000 or more for info about the exploited bugs.
“It’s important to note that these are not cases in which the victim organization has sponsored a bug bounty program that permits this activity,” says Kuhn. He and his fellow researchers dubbed these unscrupulous criminals “bug poachers.”
And, they point out, there is no guarantee that once the organization pays the ransom that the data will not be released or sold to other criminals, that they will receive info about the vulnerabilities exploited in the attack, or that they will not be hit again by the same group through a different avenue.
Kuhn notes that forensic investigation of the attack and its methodologies could easily identify the exploit used without paying the attacker.
Best of all, of course, is for organizations to prevent this type of attack in the first place.
Kuhn advises businesses to test and audit all web application code before putting it to use, regularly run vulnerability scans on all websites as well as other company systems, do some pentesting to pinpoint and solve web application vulnerabilities before criminals stumble upon them, and use IPS and WAFs to fight web-based attacks.