Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Target Ignored Data Breach Alarms

Target's security team reviewed -- and ignored -- urgent warnings from threat-detection tool about unknown malware spotted on the network.

Target confirmed Friday that the hack attack against the retailer's point-of-sale (POS) systems that began in late November triggered alarms, which its information security team evaluated and chose to ignore.

"Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team," said Target spokeswoman Molly Snyder via email. "That activity was evaluated and acted upon."

Unfortunately, however, the security team appears to have made the wrong call. "Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," she said. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."

[Collaboration with competitors may be the key to slowing security threats. See Retail Industry May Pool Intel To Stop Breaches.]

Target arguably wasn't breached because it failed to invest in proper information security defenses. In fact, Snyder said the company had "invested hundreds of millions of dollars in data security, had a robust system in place, and had recently been certified as PCI-compliant." Likewise, the retailer apparently heeded multiple warnings from US-CERT -- part of the Department of Homeland Security -- about the increasing threat of POS-malware attacks against retailers.

Unusually for a retailer, Target was even running its own security operations center in Minneapolis, according to a report published Thursday by Bloomberg Businessweek. Among its security defenses, following a months-long testing period and May 2013 implementation, was software from attack-detection firm FireEye, which caught the initial November 30 infection of Target's payment system by malware. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.

When reviewing Target's log files, digital forensic investigators also found the November 30 alerts, as well as multiple alerts from December 2, all of which tied to attackers installing multiple versions of their malware -- with the alerts including details for the external servers to which data was being sent -- Bloomberg Businessweek reported. Later on December 2, attackers began siphoning 40 million credit and debit card numbers from POS terminals, as well as personal information on 70 million customers. Ultimately, they exfiltrated at least 11 GB of data, according to Aviv Raff, CTO of Israel-based cybersecurity technology company Seculert, which found one of three FTP servers to which the data was sent. From there, the data was transferred to a server hosted by Russian-based hosting service vpsville.ru.

Obviously, had Target's security team reacted differently, they might have contained what turned into a massive data breach. But the security team didn't even have to be in the loop. The FireEye software could have been set

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 3 / 3
rradina
50%
50%
rradina,
User Rank: Apprentice
3/24/2014 | 3:19:56 PM
Re: Deactivation of FireEye's Automatic Response
It certainly does.  My last employer has been using it since ~2004/5 -- before McAfee bought Solidcore.  Back then the employer was flagged for not having virus protection on their POS systems.  We had to constantly ask for a compensating control.  That left me with a poor impression of the PCI rules and those who conducted the audits.  It's similar when calling a support line that isn't staffed by trained and experienced resources.  They cannot truly understand problems.  They can only read a script and follow a yes/no logic tree.
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
7/11/2018 | 4:54:11 AM
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
7/11/2018 | 4:54:43 AM
Re: Deactivation of FireEye's Automatic Response
Their security system specialists obviously need to resit for their security courses and tests. Due to their poor choice of defense mechanisms on that fateful day, things had turned out like how the retailer wouldn't have anticipated them to. This is a costly mistake that the team could refer to as a learning point. Having invested so much for their security system setup, the retailer obviously had greater expectations of the team and they had most likely anticipated such an incident to hit them.
<<   <   Page 3 / 3
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.