The attack on the Target data breach began on November 27, 2013. Target staff discovered the data breach and notified the US Department of Justice by December 13. On December 15, Target had a third-party forensic team and the attack was mitigated. Target informed approximately 110 million credit/debit card shoppers who made purchases at one of the company’s stores during the attack that their personal and financial information had been compromised. For comparison: the attackers stole 11 gigabytes of data.
Anatomy of the targeted data breach attack
Now let’s take a look at the sequence of events that triggered the data breach. Had any of these measures been noticed and averted, the attack would likely have collapsed.
Attackers infiltrated Target’s corporate network and compromised a third-party provider. The number of targeted suppliers is unknown. However, it only took one. It was Fazio Mechanical, a refrigeration system builder.
A phishing email tricked at least one Fazio employee into installing Citadel, a variant of the Zeus banking Trojan, on Fazio computers. After Citadel was installed, attackers waited for the malware to deliver what they wanted: Fazio Mechanical credentials.
At the time of the attack, all major versions of the company’s anti-malware detected Citadel malware. Unsubstantiated sources mentioned that Fazio was using the free version of Malwarebytes anti-malware, which as an on-demand scanner that did not offer real-time protection. (Note: Malwarebytes Anti-Malware is highly valued by experts if used correctly.)
Chris Poulin, a research strategist at IBM, offers some suggestions in this article. Target should require vendors accessing their systems to use appropriate anti-malware software. Poulin adds. “Or at least require contractors who have internal access to sensitive information to use two-factor authentication.”
Use the access to the Target supplier portal
Most likely, Citadel also collected the credentials for the portals used by Fazio Mechanical. The attackers set out to find out which portal they should hijack and use as a transit point in Target’s internal network. Target did not officially disclose which system was the entry point, but the Ariba portal was a prime candidate.
Brian Krebs interviewed a former member of Target’s security team about the Ariba portal: “Most, if not all of Target’s internal applications used Active Directory (AD) credentials. This would mean that the server would have access to the rest of the corporate network in one form or another. ”
Other suggested attack scenarios are as follows: “In cases where attackers have misused a vulnerability in the web application such as an SQL injection, XSS or possibly a 0-day to obtain a point of presence, it is used to increase authorizations and then to attack internal systems. ”
Without knowing the details, it is difficult to find a solution to this part of the attack. However, different proves also show that if IPS / IDS systems were in place, it would help detect the inappropriate attack traffic and alert Target staff to the unusual behavior. According to this Bloomberg Business article, a malware detection tool developed by computer security firm FireEye was there and sent an alert, but the alert went unanswered.
Take control of the target servers
Again, Target did not publicly disclose how the attackers undermined several of their internal Windows servers, but there are several possibilities.
Another theory was proposed that assuming the criminals used the attack cycle described in Mandiant’s APT1 report to find vulnerabilities, “Then move sideways through the network with other vulnerable systems.”
Gary Warner, the founder of Malcovery Security, believes servers have suffered from SQL injection attacks. He justifies this with the many similarities between the Target security breach and those committed by the Drinkman and Gonzalez data breach gang, who also used SQL injection.
This iSIGHT partner report provides details on the malware called Trojan. POSRAM that infected Target’s point of sale system. “Every seven hours the Trojan checks whether the local time is between 10 a.m. and 5 p.m.,” says the iSIGHT Partners report. “If so, the Trojan tries to send winxml.dll on a temporary NetBIOS share to an internal host (dump server) within the compromised network on TCP port 139, 443, or 80.”
This technique made it possible for attackers to steal data from point-of-sale terminals without internet access.
After the credit/debit card information was backed up on the dump server, the POS malware sent a special ICMP packet (ping) to a remote server. The packet indicated that the data was on the dump server. The attackers then moved the stolen data to external FTP servers and sold their loot on the digital black market.
After the attack, Target tried to improve safety. A company website describes changes that the company has made to its level of security, including:
- Improved monitoring and logging of system activity
- Whitelist point-of-sale systems of installed applications and
- Implementation of point-of-sale management tools
- Improved firewall rules and guidelines
- Limited or deactivated access of providers to their network
- Authorizations for more than 445,000 target personnel and contractor accounts deactivated, reset, or reduced
- Expansion of the use of two-factor authentication and password vaults
- People trained in password rotation
If implemented as described by Target, these changes would help address the vulnerabilities that were exploited in the attack.
However, as discussed in this article attackers have demonstrated exceptional skills at exfiltrating data from a complex retail network, which makes their conclusion even more relevant. “This ingenuity shows the current value of credit card information in the criminal market,”. “And similar violations will be common until fundamental changes are made to the technology behind payment cards.”