Bug Poaching: A New Extortion Tactic Targeting Enterprises

Imagine a scenario in which burglars break into your home but steal nothing and don’t harm anything inside. Instead, these burglars take pictures of all your precious belongings and personal assets. Later that day, you receive a letter with copies of all these pictures and an alarming message: “If you’d like to know how we broke into your house, please pay us large sums of money.”

There’s no explicit threat that they will break in again or that they will give out the pictures of your belongings if you don’t pay. Instead, just a simple statement that you should pay them to understand how to fix your locks.

Now, replace the house with your corporate network, and the burglars with hackers. And those pictures the burglars took are now your organization’s sensitive corporate data.

Unsolicited Bug Bounties

IBM Security has identified an active campaign targeting more than 30 enterprise organizations within the last year. Dubbed bug poaching by researchers, this malicious tactic is being used to extort organizations for large payments of upwards of $30,000 to reveal the website flaws that allowed the attacker onto the corporate network.

It’s important to note that these are not cases in which the victim organization has sponsored a bug bounty program that permits this activity. This is all being done under the disguise of pretending to be a good guy when, in reality, it is pure extortion on the black hat scale. The attack is carried out by criminals pretending to want to do something good for the organization but demanding payment for doing so.

These criminals aren’t afraid of penetrating the organization’s network to steal data. They argue their methods prove the point that the organization’s system is vulnerable. By not immediately destroying or releasing the organization’s data, they are illustrating the ethics (like a white hat) that prevent them from being a complete black hat. Regardless of their rationale, this is data theft and extortion — be it with alleged good intentions or not.

Bug Poaching in Action

The process of bug poaching is quite simple and breaks down into a few steps:

  • The attacker finds and exploits vulnerabilities on an organization’s website. SQL injection seems to be the main method of attack, possibly using off-the-shelf penetration testing tools to find flaws. (Note: So far, none of the cases investigated use significant zero-day vulnerabilities, but rather tactics that could easily be prevented.)
  • Once they are able to obtain sensitive data or personally identifiable information (PII), cybercriminals quickly pull down all they can and store it.
  • The stolen data is placed on a cloud storage service.
  • An email is sent to the organization that links to the data as proof that the attacker has penetrated the network.
  • The attacker asks for a payment via wire transfer to disclose how the data was stolen.

While the attacker doesn’t explicitly threaten to release the data or attack the organization again, it leaves a lot of questions for the victims. The email makes bold statements such as: “Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun.”

This does not negate the fact that the attacker stole the organization’s data and placed it online, where others could potentially find it or where it can be released. To put it mildly, trusting unknown parties to secure sensitive corporate data — particularly those who breached an organization’s security measures without permission — is not a security best practice. It’s also not clear that attackers won’t just release the data, payment or no payment.

If You’re a Bug Poaching Victim

What do you do if you’re a victim of a bug poaching attack? First, gather all the information you have on the attack, including emails you’ve received and logs from your Web servers. Next, contact local law enforcement, the FBI or Interpol. Supply them with as much detail as possible.

There is a lot of debate over whether an organization should then pay the ransom. While in this case there is an indication that the attacker may provide details of the vulnerability after payment, one could contend that may not always be the case. The organization would be contributing to cybercrime.

Additionally, the payment only buys the organization information on the one vulnerability; there’s a good chance that where there’s one avenue of exploitation, there are others. Lastly, the fact that the organization has a history of paying ransom may embolden future trouble.

On the other hand, one could take the position that a company with a firm security posture should not need to pay the ransom at all. Forensic investigation of the attack and its methodologies could easily identify the exploit used without paying the attacker.

Utilizing the logs from your Web server would be key, but having these logs easily available can be a challenge for many organizations. Enterprises that aren’t sure how to investigate their own logs can get help from emergency response and forensic investigation services.

How Can I Avoid These Attacks?

Protecting against these types of attacks relies on utilizing a defense-in-depth strategy.

  • Regularly run vulnerability scans on all your outward-facing websites. Also remember that it’s not just the exterior that matters: Regular vulnerability scanning of all internal and external systems should be part of every company’s security policy.
  • Penetration testing can help identify Web application vulnerabilities before criminals do.
  • Utilize intrusion prevention systems and Web application firewalls to provide broad protection against Web-based attacks.
  • Strictly test and audit all Web application code before production release.
  • Enterprises that use SIEM technology and monitor net flows already have a leg up in attacks such as bug poaching. Storing and analyzing these logs in a central location can dramatically decrease the amount of time needed to identify attacks and forensically analyze them.

While on the surface these attackers may seem to be less threatening than others, they still pose a threat to an organization’s data and security posture. It’s key to have and maintain an incident response plan in case you face similar threats. Ensuring your organization knows whom to contact and how to respond in advance is critical for effective response and mitigation.

While bug poaching demands may not feel as severe as sophisticated attacks that expose your data to carding forums or pasting sites, you should treat them equally as seriously.

Share this Article:
John Kuhn

Senior Threat Researcher, IBM

John Kuhn, Senior Threat Researcher, IBM Managed Security Services – John spends his days monitoring client networks and analyzing advanced threats. As part of the research team at IBM’s Managed Security Services, John has hands on knowledge of malware, APTs, threat detection, the evolving threat landscape, network security, and more.