Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Target Hackers Tapped Vendor Credentials

Investigators suspect that BMC software, Microsoft configuration management tools, and SQL injection were used as hacking tools and techniques in Target's massive data breach.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

Target said Wednesday that the hackers who attacked the company employed access credentials that were hardcoded into a product used by the retailer.

"We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system," Target spokeswoman Molly Snyder said Thursday via email.

Target declined to identify the vendor whose credentials attackers had obtained, though confirmed that the attack vector has been blocked. "As we have previously shared, we confirmed the breach on December 15 and were able to eliminate the malware and close the access," she said. "Since that time we have taken extra precautions such as limiting or updating access to some of our platforms while the investigation continues."

Target's attackers ultimately stole 40 million credit and debit cards collected by the retailer's point-of-sale (POS) systems, set up a server inside Target's network to collect that stolen data, then regularly sent it in batches via FTP to a server in Russia. Attackers also stole personal details pertaining to 70 million Target customers.

[If the bad guys don't get you while you're shopping, they'll get you when you play games. Read Angry Birds Site Toppled After Surveillance Report.]

While Target declined to disclose further details from its investigation, security journalist Brian Krebs reported Wednesday that Dell SecureWorks this week released a private report to some of its clients, which suggests that Target's attackers gained access to Performance Assurance for Microsoft Servers, which is IT infrastructure management software sold by BMC Software.

That squares with an analysis of malware retrieved from the Target breach, which was uploaded on Dec. 18 to Symantec's ThreatExpert scanning service -- and shortly thereafter deleted -- which said that the malware appeared to be responsible for moving stolen data from POS systems to a Windows share, using "Best1_user" as the account name and "BackupU$r" as the password, Krebs reported. Not coincidentally, that username and password are employed by BMC's Performance product, SecureWorks said, which suggests that Target was using the software.

According to a BMC knowledgebase article cited by Krebs, "Best1_user" is used by its software to provide admin-level access to the software's host machine. But the BMC literature assures the reader that this hardcoded credential can only be used by BMC's product. "It is not a member of any group (not even the 'users' group) and therefore can't be used to login to the system," it says. Of course, the document doesn't discuss whether an attacker might use purloined credentials to log onto another machine inside the network.

If attackers successfully exploited one of Target's vendor's products, how did they gain access to the Target network in the first place? To date, the retailer has declined to answer that question. Likewise, while the US Secret Service is leading the government investigation into the breaches at Target, Neiman Marcus, and other retailers, it has yet to release any related information.

But many security researchers suspect that a Target employee fell victim to a phishing attack that either contained malware, or caused them to execute a SQL injection attack. DB Networks, for example, spotted on the Microsoft website a case study about Target's IT infrastructure, which said that the retailer was using Microsoft device management software known as System Center Configuration Manager (SCCM) 2007 -- although that's likely since been upgraded to SCCM 2012. That product has been patched by Microsoft to fix security flaws, for example for a vulnerability that "could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL."

"That sounds like another way of saying SQL injection," Michael Sabo, VP of marketing for DB Networks, said via email.

If attackers gained access to SCCM, they would have had a mechanism that allowed them to distribute software updates. As with last year's hard-drive-wiping malware attacks against South Korean banks, hackers could have used a configuration or patch management system to distribute their malware to targeted systems. "We highly suspect they hacked the SCCM with the POS malware and then let Target's own processes distribute the malware for them in a normal update process," Sabo said. "The central SCCM distributes to the stores, and the stores SCCM [installations] distribute to the POS terminals."

But attackers may not have needed to bother pushing malware to POS devices. "If a sufficient number of store controllers, or far less likely, true point-of-sale devices, were compromised to gather tens of millions of credit card numbers, then it is likely that configuration management software was used," cybersecurity expert William Hugh Murray, who's an associate professor at the Naval Postgraduate School, said via email. "However, Occam's Razor tells me it is far more likely that, in spite of the persistent use of the term 'point-of-sale' in [Target's] press releases, the compromise was of the enterprise application servers that take the transactions from the stores and pass them to brands."

Furthermore, if attackers enjoyed access to the configuration management software, they likely also had sufficient access credentials to compromise the processing servers, he said, which would have been a more centralized and thus straightforward attack.

"Except for the scale, the 'Target,' and the silence, we have no reason to believe that this breach is any different than the dozens treated in the Verizon Data Breach Incident Report, almost all of which were of application servers," Murray said. "The exceptions included a small number of fuel pumps and grocery stores where the legitimate POS device was physically swapped out for a compromised device."

Whatever the attack techniques, don't expect POS malware attacks targeting retailers to stop anytime soon. Indeed, an FBI advisory dated Jan. 17 and distributed privately to retailers -- and published Wednesday by Krebs -- warned that retail attackers were likely to continue their POS malware press. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors," the FBI said. "We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms' actions to mitigate it."

According to the FBI, it's seen 20 attacks in the past year that mirror the Target hack. Likewise, Visa last year released two security alerts detailing the increased use of POS malware, and detailed ways for retailers to defend themselves.

While the Secret Service and Target have remained tight-lipped about their investigations into recently hacked retailers, Attorney General Eric Holder Wed. told the Senate Judiciary Committee that the Justice Department hopes to file related privacy-violation and fraud charges against Target's perpetrators. "While we generally do not discuss specific matters under investigation, I can confirm the department is investigating the breach involving the US retailer, Target," Holder told the committee. He added that the Justice Department is actively attempting to identify "not only the perpetrators of these sorts of data breaches -- but also any individuals and groups who exploit that data via credit card fraud."

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant?Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/31/2014 | 12:09:21 AM
Point of sale or Target pointing in the wrong direction?
The successful point of sale attacks that I remember hearing about involved planting a sniffer at the point of sale or swapping out its hardware for the attacker's, without anyone noticing. The magnitude of the Target breach always seemed to me to more likely be a central server attack that yielded a motherlode of stolen personal information.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/30/2014 | 11:41:48 PM
Re: Wake Up, World
Microsoft dominates the market.  Saying that "most security breach victims use Microsoft" is like saying "most murderers have watched a violent movie."
User Rank: Apprentice
1/30/2014 | 10:08:57 PM
Stolen Credentials
So the Target spokesperson says "...the intruder stole a vendor's credentials which were used to access our system". Okay, did the stolen credentials allow admin privileges on these systems at Target or did Target not implement least privilege? Apparently Target is indicating these stolen credentials allowed the hacker to unload a PII database of 70M records and steal 40M credit cards. Also, why did it take weeks for Target to learn of the breaches?

Breaches such as this are typically multidimensional. So stolen credentials, along with SQL injection, along with malware distribution, etc. shouldn't shock anyone. It's time for Target to come clean and lay out everything they know about these attacks. Dripping out pieces of information weekly is doing no one any good. If they truly don't know what happened after more than two months then I highly recommend you never charge anything at their stores or ever give them your personal information. Can you imagine if the airlines had been allowed to not share air disaster information after a crash? Airline safety would have never improved. But instead the airlines are required to share the information and over the years air safety has been dramatically improved.

User Rank: Apprentice
1/30/2014 | 9:32:06 PM
Did you really base your whole article on what someone suspects happened and what 'sounds like' a SQL injection? This is the worse kind of journalism.  This topic is highly complex and requires a level of expertise to give any guidance to readers.  The very thought that one system or piece of software could cause this kind of breach is what leads companies to have a false sense of security related to what software they have installed. The management software would not control the firewall that would allow 11gb of data to be transmitted out of the country. Malware wouldnt be effective against properly encrypted data. Stick to the facts. The IW brand deserves your diligence.  
User Rank: Apprentice
1/30/2014 | 8:36:04 PM
Re: Wake Up, World
@asksqn... I dont think you can blame MS here. First of all we don't know what software was hacked first. We also don't know how the vendors account was hacked. Someone could have given info out over the phone or via email that, unknowing to them, was used to gain entry into the system. The reason MS is always hacked is because it has the market. I can say with confidence if Apple or Linux had the market then they would be getting hacked.
User Rank: Apprentice
1/30/2014 | 8:30:55 PM
I manage SCCM on a network and I can see if it was hacked how easy it would be to push out a virus. When configured correctly it works great. In this case a little too great.
User Rank: Ninja
1/30/2014 | 4:20:22 PM
Wake Up, World
Yet another reason **not** to use MS infrastructure.  It speaks to apparently wholesale naivety that any big box retailer would use anything from MS given that mass breaches have demonstrated time and again that using MS products = imminent security breach. 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.