At least 30 companies have been hit in the past year by so-called "bug poaching," where hackers break into corporate servers, steal data, and then demand a fee for showing how it was done.
The technique, spotted by IBM's Managed Security Services researchers, involves miscreants breaking into a corp's servers, typically using a SQL injection attack against a website. In none of the cases IBM has investigated were zero-day vulnerabilities exploited – instead, crims just leveraged common or well-known programming blunders that weren't patched.
More ReadingTwo plead guilty to stealing personal information of millionsMiscreants demand Bitcoins to stay silent on 'dirty secrets' of Tumblr, LinkedIn hack victimsThese big-name laptops are infested with security bugs – studyP0rnHub revamps bug bounty, back pays cash, hires staff, after criticismDarkode Bitcoin bot bandit gets year and a day in US cooler
The intruders investigate the infiltrated servers for valuable information and stick it all in a cloud storage account. The victim then gets an email explaining that the data has been accessed, providing a link to the cloud storage site. The attackers then demand a reward of up to $30,000 for showing how they managed to pilfer the data.
"These criminals aren’t afraid of penetrating the organization’s network to steal data. They argue their methods prove the point that the organization’s system is vulnerable," said John Kuhn, senior threat researcher at IBM.
"By not immediately destroying or releasing the organization’s data, they are illustrating the ethics (like a white hat) that prevent them from being a complete black hat. Regardless of their rationale, this is data theft and extortion — be it with alleged good intentions or not."
Kuhn recommends not paying the bug poachers, since there's seldom a need to in order to ascertain how the attackers got in. Web server logs are an excellent source of information on this, he said, as well as running forensic scans on machines. You'll just have to hope that the information stays private; if people's personal data is leaked, you should declare that, anyway.
Of course, the most obvious tactic is to harden up your defenses before these scammers strike. Apply patches, run penetration testing, and hire security staff who know what they are doing. But that's been the security industry's advice for the past 30 years and that doesn’t seem to have sunk in yet. ®