Lack of bug bounty programs won't deter cyber extortion attacks

IBM reports 30 'bug poaching' cyber extortion attacks in the past year, as black hat hackers aim to "help" enterprises by exploiting SQL injection vulnerabilities.

A security researcher has reported an unusual campaign of cyberattacks against 30 enterprises over the past year in which sensitive or personal data is posted to a cloud server and followed by an email from the attacker requesting a payment in exchange for disclosing how the data was taken.

The series of cyber extortion attacks were discovered by a security researcher at IBM who dubbed the attack "bug poaching" because of the similarities to transactions done under bug bounty programs, where enterprises offer payments to researchers who report flaws or vulnerabilities in the organization's network infrastructure or product.

"It's important to note that these are not cases in which the victim organization has sponsored a bug bounty program that permits this activity," wrote John Kuhn, the senior threat researcher at IBM Managed Security Services who discovered the campaign. "This is all being done under the disguise of pretending to be a good guy when, in reality, it is pure extortion on the black hat scale. The attack is carried out by criminals pretending to want to do something good for the organization but demanding payment for doing so."

The most interesting aspect of this, Kuhn said, is the "moral gray area" that the attackers are operating in.

"They are black hat, because they did exploit this company and they did leak their data and posted it online. This would be criminal behavior by any laws. But they're saying, 'we'll protect this data, if you just give us some money.' And that's extortion," Kuhn told SearchSecurity. "They could ethically disclose these vulnerabilities to corporations if they really wanted to help them. They could do it without asking for a ransom, so while this might be a 'gray-ish' area, to me, it's just extortion."

Details of attacks, victims

While noting that he could not provide specifics of the cyber extortion attacks or the victims, Kuhn did tell SearchSecurity that in "the ones we were aware of, the ransom was $30,000 in each case. They seem to be running a flat-fee extortion."

"We're aware of one company that did [pay]," Kuhn said, and in that case the attackers "did follow their word, they did disclose the vulnerability to that company."

These criminals claim they are doing a service for these organizations, but really this is straight up extortion.
Karl Siglerthreat intelligence manager, Trustwave

"There were no real commonalities between all the victims, other than that most of them had easy SQL injection exploits," Kuhn said, which may mean that the attackers "were searching for easy things to exploit and pull this extortion off quickly and more efficiently."

Kuhn didn't rule out the possibility that the attackers used other vulnerabilities. "I don't know the specifics of all 30 [attacks], I know of the specifics of a few, and those were SQL injections, but I have to imagine they were not all SQL injections."

Kuhn would not speculate on the identity of the attackers. "IBM never goes down the attribution chain. I understand how the attack happens and how it was orchestrated and a lot of the specifics of it, but we never try to figure out if it's one person or a group. We leave that to law enforcement."

Is it really new?

"It's not a new strategy," Kuhn said. "But it's not something that a lot of people talk about, and it didn't happen that often." Kuhn said that, previous to the 30 attacks that have happened within the last year, "I can count maybe one or two that I've heard of in the previous 14 years. It's significantly increased, and the more that it happens, and the more people that pay these ransoms, the more popular this technique is going to become. I can only see it getting more sophisticated. Right now, they're going after the low-hanging fruit, the easy SQL injections."

"I definitely think that this type of activity is going to increase, that was why I decided to speak up about it," Kuhn said. "I've got to at least make corporations aware that this might happen to them, and get some awareness going so that people can start building response plans around it, and understanding how exactly they would handle this situation if it happened to them."

Karl Sigler, threat intelligence manager at Trustwave, said: "This type of story is as old as hacking. Going back even to the 1990's you'll find stories of hackers demanding payment to unveil some critical bug they 'discovered' in an organization's infrastructure. These criminals claim they are doing a service for these organizations, but really this is straight up extortion."

Lysa Myers, security researcher at ESET, agreed that while the term "bug poaching" is new, the concept of cyber extortion is not. "The risk is as it's always been [that] if your security is lax, bad things can and likely will happen. It's important to keep your software up to date, and your sensitive data encrypted at rest and in transit. There are plenty of ways to make your system an unappealing target for criminals so that they'll move along to the next target."

"[W]e see this kind of attack on web servers every day. This is yet another example of adversaries leveraging attacks that do not rely on malware," said Dan Larson, director of technical product management at CrowdStrike, adding that with modern endpoint security products it is possible to "identify and prevent this kind of attack by looking at the attacker behavior. In these cases, the behavior is typically a SQL injection attack followed by the attacker dropping a web shell."

What to do about it?

Kuhn advised bug poaching victims to start by gathering all the information available about the cyber extortion attack, including any emails from the attackers as well as server logs, and then contacting "local law enforcement, the FBI or Interpol."

Kuhn wrote: "There is a lot of debate over whether an organization should then pay the ransom. While in this case there is an indication that the attacker may provide details of the vulnerability after payment, one could contend that may not always be the case. The organization would be contributing to cybercrime."

Kuhn wrote that "the fact that the organization has a history of paying ransom may embolden future trouble," adding that "a company with a firm security posture should not need to pay the ransom at all. Forensic investigation of the attack and its methodologies could easily identify the exploit used without paying the attacker."

As for prevention, Kuhn recommends running vulnerability scans of any outward facing servers, running penetration tests, using IPS and web application firewalls, testing and auditing any web application code before turning it on, and using SIEM to monitor and log network data flows. He also said: "It's key to have and maintain an incident response plan in case you face similar threats. Ensuring your organization knows whom to contact and how to respond in advance is critical for effective response and mitigation."

"It's no surprise that these specific criminals primarily relied on SQL injection in order to exfiltrate the data used for extortion," Sigler said, adding that SQL injection is one of the most common flaws his company finds during web applications audits and penetration tests. "Businesses should be performing ongoing vulnerability assessments and penetration tests of any public facing services. Employing a web application firewall in front of your web server will also help prevent this type of attack. Finally, monitoring your web server logs and network activity can help you spot a breach before any major damage can be done."

Next Steps

Find out why the concept of a bug bounty program may be flawed.

Learn more about preventing and stopping SQL injection attacks.

Read about guidelines for proper response to email extortion schemes.

Dig Deeper on Email and Messaging Threats-Information Security Threats