01:43 PM

Target Breach: 5 Unanswered Security Questions

Investigators have yet to explain how Target was hacked, whether BlackPOS malware infected its payment servers, and whether the same gang also struck other retailers.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

How did hackers break into systems at Target?

Officials at the nation's second-largest discount retailer have admitted that attackers stole credit and debit card details for 40 million customers and personal information pertaining to 110 million customers.

According to investigators, attackers obtained the point-of-sale (POS) data using the BlackPOS memory-scraping malware, which is also known as Kaptoxa, or "potato" in Russian. The same malware was reportedly also used against Neiman Marcus and up to six additional as-yet-unnamed retailers.

But a number of key questions surrounding the attacks against Target and other retailers remain unanswered.

1. Did malware infect Target's payment systems?
Target has yet to confirm how the BlackPOS malware was used, leaving open the question of whether Internet-connected POS terminals were compromised. Many security experts don't believe that was the case.

"We are still left to infer that the method of attack was to compromise manager credentials... and that the target was enterprise payment processing servers -- not 'point-of-sale,' not store controllers -- running Windows," information assurance expert William Hugh Murray, an associate professor at the Naval Postgraduate School, said in a recent SANS Institute newsletter. "The most interesting thing about the malware is that it exploited system code, not application-specific code, to access application traffic."

[Will SnapChat suffer more long-term damage from its data breach than Target? Read A Tale Of Two Cyberheists.]

In other words, based on what's known about the attacks, attackers likely gained access to the targeted system by guessing or using stolen access credentials. Furthermore, the malware likely didn't infect any POS terminals or applications running therein, but rather the Windows-based payment system that was used to manage all of those POS terminals.

According to a VirusTotal analysis of BlackPOS samples (and a condensed report), only 30 out of 48 antivirus engines are detecting the malware.

Malware such as BlackPOS is tailor-made to intercept credit card data -- which is otherwise encrypted -- after it's been decrypted, to be checked. "To access the decrypted transaction data, malware is deployed onto the system that carries out external verification. This malware monitors the currently running processes, looking for one of a known list of processes that carry out the transaction verification," read an EPOS Data Theft threat advisory released Tuesday by McAfee, referring to electronic point-of-sales (EPOS) systems. "When the malware detects data about a financial transaction, it copies or 'scrapes' the decrypted data from the processes memory and writes it to a local file." That list of intercepted credit and debit card credentials is then sent to a remote server so attackers can access the data and then either resell it or use it themselves.

2. Who attacked Target?
A 23-year-old Russian man, Rinat Shabayev, this week confirmed that he helped author the BlackPOS malware. But in an interview with Russian media outlet LifeNews that was broadcast Tuesday, he claimed to be innocent of selling Kaptoxa for malicious purposes, saying that it had been developed as a penetration testing tool rather than for the cybercrime market.

"If you use this software with malicious intent, you can earn well, but it is illegal," Shabayev told LifeNews.

Shabayev's identity squares with information published earlier this week by cyber-intelligence firm IntelCrawler. While the firm Friday named a 17-year-old Russian who used the alias "ree[4]" (a.k.a. "ree4") as a suspect in developing the malware, it revised that assessment earlier this week after questions surfaced over the company's findings. Instead, the firm named Shabayev as the malware's principal developer, saying that he too had used the ree4 handle. After updating its report earlier this week, however, Intelcrawler later excised the names of the two people it suspected of having been the principle developers behind Kaptoxa.

3. Why didn't Neiman Marcus come clean sooner?
One of the biggest unanswered questions surrounding the campaign against retailers concerns the identity of the other businesses -- supposedly, there may be six more in addition to Neiman Marcus -- that were also recently compromised. On the other hand, the retailers may have yet to fully ascertain the extent of the breach and are putting working defenses in place.

Neiman Marcus -- which has yet to disclose how many credit and debit card numbers it lost -- has been criticized for not coming clean about the breach more quickly. The firm didn't confirm that it had been breached until Jan. 10, the same day that security journalist Brian Krebs publicized that payment providers had traced fraudulent purchases to cards used at the luxury retailer.

Likewise, Target didn't reveal its information security breach, which happened from Nov. 27 to Dec. 15, until Krebs reported on Dec. 18 that investigators were looking into a potential breach at the retailer. Unlike Target, however, which publicized the breach and endured a downturn in holiday shopping volumes, Neiman Marcus didn't disclose its 2013 breach -- which began in mid-July and lasted until December -- until after the busy shopping period.

While 46 states have mandatory data breach notification laws, the timeline for reporting a breach varies.

Neiman Marcus officials, however, have defended themselves against claims that they delayed issuing a breach notification to affected customers, saying that they reacted as rapidly as possible. "We quickly began our investigation and hired a forensic investigator," read a statement released by the retailer. "Our forensic investigator discovered evidence on Jan. 1st that a criminal cybersecurity intrusion had occurred. The forensic and criminal investigations continue."

By not disclosing the breach, furthermore, Neiman Marcus bought itself time to harden its systems to better defend against repeat attacks. An official at the retailer, on a call last week with credit card companies, said that the Neiman Marcus breach wasn't fully contained until Jan. 12, the New York Times reported.

4. Did the same gang hack Target and Neiman Marcus?
Are the Target and Neiman Marcus attacks related? While the same type of malware was reportedly used in both attacks, investigators have yet to comment about whether the same gang took down both retailers. Last week, meanwhile, Neiman Marcus said that it had "no knowledge of any connection" between Target's breach and its own.

5. Did Target's attackers also hit Easton-Bell Sports?
The latest business to disclose that it too was hacked and had payment data stolen in December 2013 was Easton-Bell Sports, a California-based sports equipment and clothing manufacturer. The company, which makes Bell helmets and Giro cycling gear, said that information on 6,000 customers who shopped on its website was stolen. The breach reportedly lasted from Dec. 1 to Dec. 31, and stolen information may have included names, addresses, telephone numbers, email addresses, credit card numbers, and card security codes, the company said in a statement.

An Easton-Bell Sports spokesman didn't immediately respond to an emailed request for comment about whether memory-scraping malware was used, or if the data breach appeared to involve the same gang or gangs that successfully attacked Target and Neiman Marcus.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
1/22/2014 | 8:47:46 PM
Re: PIN numbers
Based soley on how the RAM scraping works, stealing the PIN codes is certainly possible if they were transmitted from the pin pad to an infected system.  I too read they were encrypted but I don't know if that was fact or damage control to prevent panic.

I don't know if we would know by now.   The criminals could be waiting for a future opportunity.  Right now this is highly publicized.  If I had millions of valid cards, I'd would think using them in an "Office Space" manner (Superman 2, Richard Pryor stealing fractional pennies) would be lucrative and potentially repeatable for a long duration.  Better to stay below the radar by adding a $5.13 charge from Starbuks (pun intended) to millions of accounts...
Shane M. O'Neill
Shane M. O'Neill,
User Rank: Apprentice
1/22/2014 | 6:30:04 PM
PIN numbers
I'm curious about PIN numbers for debit cards. Target said PIN numbers were taken in the breach, but that the numbers were encrypted. And that claim has not backfired as far as I know.

Do we know if encrypted PIN numbers can be accessed when BlackPOS malware is running on the POS device and/or the payment servers? I guess if stolen PIN numbers were being exploited we would know by now.
User Rank: Apprentice
1/22/2014 | 4:23:17 PM
Exploiting Payment Servers vs. POS Controllers
"Exploited payment servers not POS systems, not store controllers running Windows..."

Isn't BlackPOS Windows malware?  At least I thought it was.  Perhaps I'm mistaken.  If it is Windows malware, what difference does it make that they didn't compromise POS systems or store controllers running Windows?  Either way they still compromised Windows.

I guess it's probably worse if they compromised payment servers since by design, they should be even more critically protected than an individual POS as they are a much higher value target.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.