Attacks/Breaches
1/30/2014
11:03 AM
Connect Directly
RSS
E-Mail
50%
50%

Target Hackers Tapped Vendor Credentials

Investigators suspect that BMC software, Microsoft configuration management tools, and SQL injection were used as hacking tools and techniques in Target's massive data breach.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

Target said Wednesday that the hackers who attacked the company employed access credentials that were hardcoded into a product used by the retailer.

"We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system," Target spokeswoman Molly Snyder said Thursday via email.

Target declined to identify the vendor whose credentials attackers had obtained, though confirmed that the attack vector has been blocked. "As we have previously shared, we confirmed the breach on December 15 and were able to eliminate the malware and close the access," she said. "Since that time we have taken extra precautions such as limiting or updating access to some of our platforms while the investigation continues."

Target's attackers ultimately stole 40 million credit and debit cards collected by the retailer's point-of-sale (POS) systems, set up a server inside Target's network to collect that stolen data, then regularly sent it in batches via FTP to a server in Russia. Attackers also stole personal details pertaining to 70 million Target customers.

[If the bad guys don't get you while you're shopping, they'll get you when you play games. Read Angry Birds Site Toppled After Surveillance Report.]

While Target declined to disclose further details from its investigation, security journalist Brian Krebs reported Wednesday that Dell SecureWorks this week released a private report to some of its clients, which suggests that Target's attackers gained access to Performance Assurance for Microsoft Servers, which is IT infrastructure management software sold by BMC Software.

That squares with an analysis of malware retrieved from the Target breach, which was uploaded on Dec. 18 to Symantec's ThreatExpert scanning service -- and shortly thereafter deleted -- which said that the malware appeared to be responsible for moving stolen data from POS systems to a Windows share, using "Best1_user" as the account name and "BackupU$r" as the password, Krebs reported. Not coincidentally, that username and password are employed by BMC's Performance product, SecureWorks said, which suggests that Target was using the software.

According to a BMC knowledgebase article cited by Krebs, "Best1_user" is used by its software to provide admin-level access to the software's host machine. But the BMC literature assures the reader that this hardcoded credential can only be used by BMC's product. "It is not a member of any group (not even the 'users' group) and therefore can't be used to login to the system," it says. Of course, the document doesn't discuss whether an attacker might use purloined credentials to log onto another machine inside the network.

If attackers successfully exploited one of Target's vendor's products, how did they gain access to the Target network in the first place? To date, the retailer has declined to answer that question. Likewise, while the US Secret Service is leading the government investigation into the breaches at Target, Neiman Marcus, and other retailers, it has yet to release any related information.

But many security researchers suspect that a Target employee fell victim to a phishing attack that either contained malware, or caused them to execute a SQL injection attack. DB Networks, for example, spotted on the Microsoft website a case study about Target's IT infrastructure, which said that the retailer was using Microsoft device management software known as System Center Configuration Manager (SCCM) 2007 -- although that's likely since been upgraded to SCCM 2012. That product has been patched by Microsoft to fix security flaws, for example for a vulnerability that "could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL."

"That sounds like another way of saying SQL injection," Michael Sabo, VP of marketing for DB Networks, said via email.

If attackers gained access to SCCM, they would have had a mechanism that allowed them to distribute software updates. As with last year's hard-drive-wiping malware attacks against South Korean banks, hackers could have used a configuration or patch management system to distribute their malware to targeted systems. "We highly suspect they hacked the SCCM with the POS malware and then let Target's own processes distribute the malware for them in a normal update process," Sabo said. "The central SCCM distributes to the stores, and the stores SCCM [installations] distribute to the POS terminals."

But attackers may not have needed to bother pushing malware to POS devices. "If a sufficient number of store controllers, or far less likely, true point-of-sale devices, were compromised to gather tens of millions of credit card numbers, then it is likely that configuration management software was used," cybersecurity expert William Hugh Murray, who's an associate professor at the Naval Postgraduate School, said via email. "However, Occam's Razor tells me it is far more likely that, in spite of the persistent use of the term 'point-of-sale' in [Target's] press releases, the compromise was of the enterprise application servers that take the transactions from the stores and pass them to brands."

Furthermore, if attackers enjoyed access to the configuration management software, they likely also had sufficient access credentials to compromise the processing servers, he said, which would have been a more centralized and thus straightforward attack.

"Except for the scale, the 'Target,' and the silence, we have no reason to believe that this breach is any different than the dozens treated in the Verizon Data Breach Incident Report, almost all of which were of application servers," Murray said. "The exceptions included a small number of fuel pumps and grocery stores where the legitimate POS device was physically swapped out for a compromised device."

Whatever the attack techniques, don't expect POS malware attacks targeting retailers to stop anytime soon. Indeed, an FBI advisory dated Jan. 17 and distributed privately to retailers -- and published Wednesday by Krebs -- warned that retail attackers were likely to continue their POS malware press. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors," the FBI said. "We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms' actions to mitigate it."

According to the FBI, it's seen 20 attacks in the past year that mirror the Target hack. Likewise, Visa last year released two security alerts detailing the increased use of POS malware, and detailed ways for retailers to defend themselves.

While the Secret Service and Target have remained tight-lipped about their investigations into recently hacked retailers, Attorney General Eric Holder Wed. told the Senate Judiciary Committee that the Justice Department hopes to file related privacy-violation and fraud charges against Target's perpetrators. "While we generally do not discuss specific matters under investigation, I can confirm the department is investigating the breach involving the US retailer, Target," Holder told the committee. He added that the Justice Department is actively attempting to identify "not only the perpetrators of these sorts of data breaches -- but also any individuals and groups who exploit that data via credit card fraud."

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant?Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbabcock
100%
0%
cbabcock,
User Rank: Apprentice
1/31/2014 | 12:09:21 AM
Point of sale or Target pointing in the wrong direction?
The successful point of sale attacks that I remember hearing about involved planting a sniffer at the point of sale or swapping out its hardware for the attacker's, without anyone noticing. The magnitude of the Target breach always seemed to me to more likely be a central server attack that yielded a motherlode of stolen personal information.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
1/30/2014 | 11:41:48 PM
Re: Wake Up, World
Microsoft dominates the market.  Saying that "most security breach victims use Microsoft" is like saying "most murderers have watched a violent movie."
M1ch43L
100%
0%
M1ch43L,
User Rank: Apprentice
1/30/2014 | 10:08:57 PM
Stolen Credentials
So the Target spokesperson says "...the intruder stole a vendor's credentials which were used to access our system". Okay, did the stolen credentials allow admin privileges on these systems at Target or did Target not implement least privilege? Apparently Target is indicating these stolen credentials allowed the hacker to unload a PII database of 70M records and steal 40M credit cards. Also, why did it take weeks for Target to learn of the breaches?

Breaches such as this are typically multidimensional. So stolen credentials, along with SQL injection, along with malware distribution, etc. shouldn't shock anyone. It's time for Target to come clean and lay out everything they know about these attacks. Dripping out pieces of information weekly is doing no one any good. If they truly don't know what happened after more than two months then I highly recommend you never charge anything at their stores or ever give them your personal information. Can you imagine if the airlines had been allowed to not share air disaster information after a crash? Airline safety would have never improved. But instead the airlines are required to share the information and over the years air safety has been dramatically improved.

 
anon5823034364
50%
50%
anon5823034364,
User Rank: Apprentice
1/30/2014 | 9:32:06 PM
Really?
Did you really base your whole article on what someone suspects happened and what 'sounds like' a SQL injection? This is the worse kind of journalism.  This topic is highly complex and requires a level of expertise to give any guidance to readers.  The very thought that one system or piece of software could cause this kind of breach is what leads companies to have a false sense of security related to what software they have installed. The management software would not control the firewall that would allow 11gb of data to be transmitted out of the country. Malware wouldnt be effective against properly encrypted data. Stick to the facts. The IW brand deserves your diligence.  
PaulS681
100%
0%
PaulS681,
User Rank: Apprentice
1/30/2014 | 8:36:04 PM
Re: Wake Up, World
@asksqn... I dont think you can blame MS here. First of all we don't know what software was hacked first. We also don't know how the vendors account was hacked. Someone could have given info out over the phone or via email that, unknowing to them, was used to gain entry into the system. The reason MS is always hacked is because it has the market. I can say with confidence if Apple or Linux had the market then they would be getting hacked.
PaulS681
100%
0%
PaulS681,
User Rank: Apprentice
1/30/2014 | 8:30:55 PM
SCCM
I manage SCCM on a network and I can see if it was hacked how easy it would be to push out a virus. When configured correctly it works great. In this case a little too great.
asksqn
100%
0%
asksqn,
User Rank: Apprentice
1/30/2014 | 4:20:22 PM
Wake Up, World
Yet another reason **not** to use MS infrastructure.  It speaks to apparently wholesale naivety that any big box retailer would use anything from MS given that mass breaches have demonstrated time and again that using MS products = imminent security breach. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.