Hackers Find Bugs, Extort Ransom and Call it a Public Service

Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor exposing a flaw.

Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching by IBM researchers and is becoming a growing new threat to businesses vulnerable to attacks.

According to IBM’s X-Force researchers, the new tactic it is a variation on ransomware. In the case of bug poaching, hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. More conventional ransomware attacks, also growing in number, simply encrypt data and demand payment for a decryption key.

Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability, said John Kuhn, senior threat researcher for IBM Managed Security Services.

“These attackers are trying to play a moral high ground when it comes to exposing bugs,” Kuhn said to Threatpost in an interview. “But make no mistake, this is straight up extortion,” he said.

IBM says it’s aware of 30 unsolicited bug poaching incidents within the past 12 months. According to Kuhn, similar incidents of extortion were unheard of before that. He predicts that this type of extortion will become more commonplace and companies need to protect themselves from these type of attacks.

IBM says a typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.

During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: “Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun.”

Kuhn said that payment of the ransom is no guarantee the hackers will destroy the stolen data.

“These attackers are equal opportunity hackers looking for any business that may have a simple vulnerability to exploit such as a SQL injection attack against a website flaw,” Kuhn said. Other attacks have included the use of off-the-shelf penetration testing tools to find flaws.

“So far, none of the cases investigated use significant zero-day vulnerabilities, but rather tactics that could easily be prevented,” wrote Kuhn in a blog post describing bug poaching.

Kuhn anticipates that these attacks will become more sophisticated as any success will inspire bigger paydays against larger companies.

“While on the surface these attackers may seem to be less threatening than others, they still pose a threat to an organization’s data and security posture,” Kuhn wrote.

Suggested articles


  • Havokmon on

    Hmmm "I know something you don't." isn't a threat. By definition, extortion requires a threat. This is almost an ad for IBM services, "Go with us, we're 100% secure". Yet most breaches are inside jobs. These companies obviously aren't paying for preemptive security, and are likely violating laws or contracts by doing so. Of course, the attacker is breaking the law by bypassing access controls to access a system they are unauthorized to access. Do two wrongs make a right?
  • RK on

    If organizations would actually take security seriously. As in, not just look at it like a small check box during compliance audits, but as an investment to keeping their data safe and secure, attacks like this wouldn't be an issue. It sounds like these people are attacking the low hanging fruit, otherwise off the shelf auditing tools wouldn't be doing much good in performing successful attacks. I feel more for the poor clients that trust their data with an insecure company, than the company that has such poor security practices, they let themselves get taken advantage of in such a way.
  • Random Peasant on

    Just a few days ago, the FBI held at gunpoint and raided the home of Justin Shafer, a security researcher who exposed Eaglesoft's carelessness with sensitive user data. Companies like Eaglesoft have sent a message loud and clear that no good deed goes unpunished, leaving the field wide open for those who would rather extort companies instead. Which do you think c-level execs would choose: paying for competent IT staff and systems or making a huge bonus?
  • Johnny on

    Actually taking data is obviously illegal. There is no way to spin it otherwise. Scanning and offering to show someone how to fix is one thing.. Taking data without permission is something else entirely.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.