IBM warns of 'bug poachers' who exploit holes, steal info, demand big bucks

And what to do if you get hit


At least 30 companies have been hit in the past year by so-called "bug poaching," where hackers break into corporate servers, steal data, and then demand a fee for showing how it was done.

The technique, spotted by IBM's Managed Security Services researchers, involves miscreants breaking into a corp's servers, typically using a SQL injection attack against a website. In none of the cases IBM has investigated were zero-day vulnerabilities exploited – instead, crims just leveraged common or well-known programming blunders that weren't patched.

The intruders investigate the infiltrated servers for valuable information and stick it all in a cloud storage account. The victim then gets an email explaining that the data has been accessed, providing a link to the cloud storage site. The attackers then demand a reward of up to $30,000 for showing how they managed to pilfer the data.

"These criminals aren’t afraid of penetrating the organization’s network to steal data. They argue their methods prove the point that the organization’s system is vulnerable," said John Kuhn, senior threat researcher at IBM.

"By not immediately destroying or releasing the organization’s data, they are illustrating the ethics (like a white hat) that prevent them from being a complete black hat. Regardless of their rationale, this is data theft and extortion — be it with alleged good intentions or not."

Kuhn recommends not paying the bug poachers, since there's seldom a need to in order to ascertain how the attackers got in. Web server logs are an excellent source of information on this, he said, as well as running forensic scans on machines. You'll just have to hope that the information stays private; if people's personal data is leaked, you should declare that, anyway.

Of course, the most obvious tactic is to harden up your defenses before these scammers strike. Apply patches, run penetration testing, and hire security staff who know what they are doing. But that's been the security industry's advice for the past 30 years and that doesn’t seem to have sunk in yet. ®

Similar topics

Broader topics


Other stories you might like

  • IBM finally shutters Russian operations, lays off staff
    Axing workers under 40 must feel like a novel concept for Big Blue

    After freezing operations in Russia earlier this year, IBM has told employees it is ending all work in the country and has begun laying off staff. 

    A letter obtained by Reuters sent by IBM CEO Arvind Krishna to staff cites sanctions as one of the prime reasons for the decision to exit Russia. 

    "As the consequences of the war continue to mount and uncertainty about its long-term ramifications grows, we have now made the decision to carry out an orderly wind-down of IBM's business in Russia," Krishna said. 

    Continue reading
  • IBM CEO explains why he offloaded Watson Health: Not enough domain expertise
    And not enough customers, Shirley?

    IBM chairman and CEO Arvind Krishna says it offloaded Watson Health this year because it doesn't have the requisite vertical expertise in the healthcare sector.

    Talking at stock market analyst Bernstein's 38th Annual Strategic Decisions Conference, the big boss was asked to outline the context for selling the healthcare data and analytics assets of the business to private equity provider Francisco Partners for $1 billion in January.

    "Watson Health's divestment has got nothing to do with our commitment to AI and tor the Watson Brand," he told the audience. The "Watson brand will be our carrier for AI."

    Continue reading
  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading

Biting the hand that feeds IT © 1998–2022