Attacks/Breaches
2/13/2014
12:32 PM
50%
50%

Target Breach: Phishing Attack Implicated

Report suggests malware-laced email attack on Target's HVAC subcontractor leaked access credentials for retailer's network.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Did the breach of Target begin with a phishing attack? Investigators suspect attackers initially gained access to Target's network using credentials obtained from heating, ventilation, and air-conditioning (HVAC) subcontractor Fazio Mechanical Services via a phishing attack, security reporter Brian Krebs reported Wednesday, citing unnamed sources with knowledge of the government's investigation into the Target breach.

Fazio Mechanical Services, which is based in Sharpsburg, Penn., reportedly fell victim to the related phishing attack at least two months prior to the time the attackers siphoned 40 million credit and debit cards from Target's point-of-sale (POS) systems, said Krebs.

The theft of payment card data from Target began on Nov. 27. Target confirmed the breach on Dec. 15, but it took until Dec. 18 before the retailer fully scrubbed the attackers' POS malware from its payment systems and arrested the payment card data exfiltration.

[Businesses need to step it up when it comes to data breach notifications. Read Data Breach Notifications: Time For Tough Love.]

Last week, Fazio Mechanical Services president and owner Ross E. Fazio issued a statement confirming that his company has been assisting the Secret Service with its investigation into the Target breach. He emphasized that his company is not a target of that investigation.

After the news broke last week that Fazio Mechanical Services was tied to the Target breach, many security experts questioned whether the retailer's attackers had hacked into an Internet-accessible -- and vulnerable -- HVAC system. But according to Fazio, his company does not perform remote monitoring or control of heating, cooling, or refrigeration systems for Target.

Rather, his company's access to Target's network was limited to business-related administrative purposes. "Our data connection with Target was exclusively for electronic billing, contract submission, and project management, and Target is the only customer for whom we manage these processes on a remote basis," he said. "No other [Fazio] customers have been affected by the breach."

Multiple sources told Krebs that the phishing email that compromised Fazio's systems included a Citadel Trojan, which is botnet-controlled financial malware based on the Zeus source code. A study of banking Trojans released this week by Dell SecureWorks described Citadel's use by criminals as "ubiquitous" and said that the attackers behind the Citadel Trojan have "made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits." Dell SecureWorks said that it was tracking more than 900 Citadel command-and-control servers in 2013.

Citadel malware includes the ability to relay video recordings of all Internet sessions to its controllers, and to log keystrokes automatically, as well as FTP and POP3 email credentials. According to the Dell SecureWorks report, the malware also packs a variety of security software evasion techniques, including "aggressive DNS filtering" to prevent infected hosts from connecting to security sites or receiving antivirus software and signature updates.

What culpability might the HVAC contractor have in the Target breach if its systems were used as a stepping stone by attackers? Fazio's statement suggested that the company's security infrastructure is robust, noting that "our IT system and security measures are in full compliance with industry practices." But he declined to elaborate on what those industry practices might be.

If his company was felled by a phishing attack -- packing Citadel malware or not -- it wouldn't be the first organization to be so compromised. EMC-owned security giant RSA, multiple US defense contractors, and the White House have also fallen victim to such attacks.

What are the odds that the HVAC subcontractor was compromised by a targeted attack? In fact, most phishing attacks tend to be highly automated. They focus on target quantity over quality. In other words, it's quite likely that Fazio was exploited by chance, with the gang behind the attacks only discovering the company's connection to Target after it had a chance to review data that had been automatically harvested by its malware. At that point, the attackers could have conducted more detailed reconnaissance of the retailer's network.

Krebs said it wouldn't have been difficult for attackers to case the external-facing network to which Fazio had access. "Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing web properties that do not require a login," he said. "Indeed, many of these documents would be a potential gold mine of information for an attacker."

Target's public-facing Supplier Portal includes detailed information about how company subcontractors should communicate with the company and submit invoices. As Krebs reported, a number of Excel documents shared via that portal include metadata that attackers could use to identify the Windows usernames of Target employees, as well as the names of internal Windows domains.

What's still not clear, however, is how attackers might have parlayed Fazio's access credentials for Target's electronic billing, contracts, or project management system into full-blown access to the retailer's IT network and payment processing systems.

Tech Marketing 360 is the only event dedicated to technology marketers. Discover the most current and cutting-edge innovations and strategies to drive tech marketing success, and hear from and engage with companies like Mashable, Dun & Bradstreet, ExactTarget, IDC, Microsoft, LinkedIn, Oracle, Leo Burnett, Young & Rubicam, Juniper Networks, and more -- all in an intimate, upscale setting. Register for Tech Marketing 360 today. It happens Feb. 18-20, 2014, in Dana Point, Calif.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
rradina
50%
50%
rradina,
User Rank: Apprentice
2/14/2014 | 9:58:33 AM
My Theory
They captured credentials from Fazio when they logged into Target's network and subsequently when they logged into an in-store HVAC console.  The console was likely good ole Windows XP, not patched and no malware detection.  The credentials were probably also a "local admin" meaning they owned that console and could install anything they wanted on it and use it to determine how to compromise the router to allow POS VLAN access or, if the HVAC system was wireless, compromise an in-store Wireless network.  Once on that network, it probably wasn't hard to use a remote execution attack against Windows XP-based POS systems that might have also been missing critical patches making them vulnerable to remote attacks.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/14/2014 | 9:56:03 AM
Random or targeted
When I saw the headline, I assumed the attackers had identified the HVAC company as a Target supplier and deliberately went after them with a spear-phishing attack. But if it was just a random chance (a fishing expedition?), these guys stumbled across a good one. That said, the attackers seemed really prepared to exploit the opportunity, so maybe they had retailers in mind from the outset.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

CVE-2014-6395
Published: 2014-12-19
Heap-based buffer overflow in the dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap before 8.1 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted password length value that is inconsistent with the actual length of the password...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.