Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Target Breach: Phishing Attack Implicated

Report suggests malware-laced email attack on Target's HVAC subcontractor leaked access credentials for retailer's network.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Did the breach of Target begin with a phishing attack? Investigators suspect attackers initially gained access to Target's network using credentials obtained from heating, ventilation, and air-conditioning (HVAC) subcontractor Fazio Mechanical Services via a phishing attack, security reporter Brian Krebs reported Wednesday, citing unnamed sources with knowledge of the government's investigation into the Target breach.

Fazio Mechanical Services, which is based in Sharpsburg, Penn., reportedly fell victim to the related phishing attack at least two months prior to the time the attackers siphoned 40 million credit and debit cards from Target's point-of-sale (POS) systems, said Krebs.

The theft of payment card data from Target began on Nov. 27. Target confirmed the breach on Dec. 15, but it took until Dec. 18 before the retailer fully scrubbed the attackers' POS malware from its payment systems and arrested the payment card data exfiltration.

[Businesses need to step it up when it comes to data breach notifications. Read Data Breach Notifications: Time For Tough Love.]

Last week, Fazio Mechanical Services president and owner Ross E. Fazio issued a statement confirming that his company has been assisting the Secret Service with its investigation into the Target breach. He emphasized that his company is not a target of that investigation.

After the news broke last week that Fazio Mechanical Services was tied to the Target breach, many security experts questioned whether the retailer's attackers had hacked into an Internet-accessible -- and vulnerable -- HVAC system. But according to Fazio, his company does not perform remote monitoring or control of heating, cooling, or refrigeration systems for Target.

Rather, his company's access to Target's network was limited to business-related administrative purposes. "Our data connection with Target was exclusively for electronic billing, contract submission, and project management, and Target is the only customer for whom we manage these processes on a remote basis," he said. "No other [Fazio] customers have been affected by the breach."

Multiple sources told Krebs that the phishing email that compromised Fazio's systems included a Citadel Trojan, which is botnet-controlled financial malware based on the Zeus source code. A study of banking Trojans released this week by Dell SecureWorks described Citadel's use by criminals as "ubiquitous" and said that the attackers behind the Citadel Trojan have "made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits." Dell SecureWorks said that it was tracking more than 900 Citadel command-and-control servers in 2013.

Citadel malware includes the ability to relay video recordings of all Internet sessions to its controllers, and to log keystrokes automatically, as well as FTP and POP3 email credentials. According to the Dell SecureWorks report, the malware also packs a variety of security software evasion techniques, including "aggressive DNS filtering" to prevent infected hosts from connecting to security sites or receiving antivirus software and signature updates.

What culpability might the HVAC contractor have in the Target breach if its systems were used as a stepping stone by attackers? Fazio's statement suggested that the company's security infrastructure is robust, noting that "our IT system and security measures are in full compliance with industry practices." But he declined to elaborate on what those industry practices might be.

If his company was felled by a phishing attack -- packing Citadel malware or not -- it wouldn't be the first organization to be so compromised. EMC-owned security giant RSA, multiple US defense contractors, and the White House have also fallen victim to such attacks.

What are the odds that the HVAC subcontractor was compromised by a targeted attack? In fact, most phishing attacks tend to be highly automated. They focus on target quantity over quality. In other words, it's quite likely that Fazio was exploited by chance, with the gang behind the attacks only discovering the company's connection to Target after it had a chance to review data that had been automatically harvested by its malware. At that point, the attackers could have conducted more detailed reconnaissance of the retailer's network.

Krebs said it wouldn't have been difficult for attackers to case the external-facing network to which Fazio had access. "Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing web properties that do not require a login," he said. "Indeed, many of these documents would be a potential gold mine of information for an attacker."

Target's public-facing Supplier Portal includes detailed information about how company subcontractors should communicate with the company and submit invoices. As Krebs reported, a number of Excel documents shared via that portal include metadata that attackers could use to identify the Windows usernames of Target employees, as well as the names of internal Windows domains.

What's still not clear, however, is how attackers might have parlayed Fazio's access credentials for Target's electronic billing, contracts, or project management system into full-blown access to the retailer's IT network and payment processing systems.

Tech Marketing 360 is the only event dedicated to technology marketers. Discover the most current and cutting-edge innovations and strategies to drive tech marketing success, and hear from and engage with companies like Mashable, Dun & Bradstreet, ExactTarget, IDC, Microsoft, LinkedIn, Oracle, Leo Burnett, Young & Rubicam, Juniper Networks, and more -- all in an intimate, upscale setting. Register for Tech Marketing 360 today. It happens Feb. 18-20, 2014, in Dana Point, Calif.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
rradina
50%
50%
rradina,
User Rank: Apprentice
2/14/2014 | 9:58:33 AM
My Theory
They captured credentials from Fazio when they logged into Target's network and subsequently when they logged into an in-store HVAC console.  The console was likely good ole Windows XP, not patched and no malware detection.  The credentials were probably also a "local admin" meaning they owned that console and could install anything they wanted on it and use it to determine how to compromise the router to allow POS VLAN access or, if the HVAC system was wireless, compromise an in-store Wireless network.  Once on that network, it probably wasn't hard to use a remote execution attack against Windows XP-based POS systems that might have also been missing critical patches making them vulnerable to remote attacks.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/14/2014 | 9:56:03 AM
Random or targeted
When I saw the headline, I assumed the attackers had identified the HVAC company as a Target supplier and deliberately went after them with a spear-phishing attack. But if it was just a random chance (a fishing expedition?), these guys stumbled across a good one. That said, the attackers seemed really prepared to exploit the opportunity, so maybe they had retailers in mind from the outset.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.