Attacks/Breaches

Target Malware Origin Details Emerge

Kaptoxa POS malware cited as culprit behind sophisticated, two-stage operation that moved 11 GB of stolen Target data via FTP to a hijacked server in Russia.

Kaptoxa malware infected Target POS machines, security researchers say.
Kaptoxa malware infected Target POS machines, security researchers say.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
missmuffin
50%
50%
missmuffin,
User Rank: Apprentice
2/12/2014 | 12:27:16 PM
Re: Via FTP to Russia
Preach it, brother!  You are right on (...err...) target!
WillyWonka
100%
0%
WillyWonka,
User Rank: Apprentice
1/20/2014 | 12:50:35 PM
How was Target breached?
"After somehow hacking into Target and infecting POS terminals with Kaptoxa..." - this is a very important piece of the puzzle. Does anyone know details on how the hackers breached the perimeter to get the malware onto the POS systems?

 

Thx
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/19/2014 | 8:35:43 AM
Via FTP to Russia
At what point did Target IT think that allowing any data to go outside its own network is ever needed except for very few gateways to payment processors? And at what point did Target IT think that transferring anything via FTP from secured networks is ever a good idea or needed? Was there ever a review of what data came from where and went to where on a regular (means daily) basis?

At the point the ports were opened (if they were closed to begin with) and at latest when the transfer started all alarms should have rung at the top brass IT offices. It is easy to blame the handful of criminals who surely are culprits, but the grossly negligent indifference of Target IT is as bad. Does anyone investigate those fools?

It is sad when the local store security is better than the network security at corporate. Stealing millions of CC numbers is apparently easier than shoplifting a pack of gum.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7421
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.

CVE-2014-8160
Published: 2015-03-02
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disall...

CVE-2014-9644
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-201...

CVE-2015-0239
Published: 2015-03-02
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYS...

CVE-2014-8921
Published: 2015-03-01
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by c...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.