Target Hackers Tapped Vendor Credentials

Investigators suspect that BMC software, Microsoft configuration management tools, and SQL injection were used as hacking tools and techniques in Target's massive data breach.
Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

Target said Wednesday that the hackers who attacked the company employed access credentials that were hardcoded into a product used by the retailer.

"We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system," Target spokeswoman Molly Snyder said Thursday via email.

Target declined to identify the vendor whose credentials attackers had obtained, though confirmed that the attack vector has been blocked. "As we have previously shared, we confirmed the breach on December 15 and were able to eliminate the malware and close the access," she said. "Since that time we have taken extra precautions such as limiting or updating access to some of our platforms while the investigation continues."

Target's attackers ultimately stole 40 million credit and debit cards collected by the retailer's point-of-sale (POS) systems, set up a server inside Target's network to collect that stolen data, then regularly sent it in batches via FTP to a server in Russia. Attackers also stole personal details pertaining to 70 million Target customers.

[If the bad guys don't get you while you're shopping, they'll get you when you play games. Read Angry Birds Site Toppled After Surveillance Report.]

While Target declined to disclose further details from its investigation, security journalist Brian Krebs reported Wednesday that Dell SecureWorks this week released a private report to some of its clients, which suggests that Target's attackers gained access to Performance Assurance for Microsoft Servers, which is IT infrastructure management software sold by BMC Software.

That squares with an analysis of malware retrieved from the Target breach, which was uploaded on Dec. 18 to Symantec's ThreatExpert scanning service -- and shortly thereafter deleted -- which said that the malware appeared to be responsible for moving stolen data from POS systems to a Windows share, using "Best1_user" as the account name and "BackupU$r" as the password, Krebs reported. Not coincidentally, that username and password are employed by BMC's Performance product, SecureWorks said, which suggests that Target was using the software.

According to a BMC knowledgebase article cited by Krebs, "Best1_user" is used by its software to provide admin-level access to the software's host machine. But the BMC literature assures the reader that this hardcoded credential can only be used by BMC's product. "It is not a member of any group (not even the 'users' group) and therefore can't be used to login to the system," it says. Of course, the document doesn't discuss whether an attacker might use purloined credentials to log onto another machine inside the network.

If attackers successfully exploited one of Target's vendor's products, how did they gain access to the Target network in the first place? To date, the retailer has declined to answer that question. Likewise, while the US Secret Service is leading the government investigation into the breaches at Target, Neiman Marcus, and other retailers, it has yet to release any related information.

But many security researchers suspect that a Target employee fell victim to a phishing attack that either contained malware, or caused them to execute a SQL injection attack. DB Networks, for example, spotted on the Microsoft website a case study about Target's IT infrastructure, which said that the retailer was using Microsoft device management software known as System Center Configuration Manager (SCCM) 2007 -- although that's likely since been upgraded to SCCM 2012. That product has been patched by Microsoft to fix security flaws, for example for a vulnerability that "could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL."

"That sounds like another way of saying SQL injection," Michael Sabo, VP of marketing for DB Networks, said via email.

If attackers gained access to SCCM, they would have had a mechanism that allowed them to distribute software updates. As with last year's hard-drive-wiping malware attacks against South Korean banks, hackers could have used a configuration or patch management system to distribute their malware to targeted systems. "We highly suspect they hacked the SCCM with the POS malware and then let Target's own processes distribute the malware for them in a normal update process," Sabo said. "The central SCCM distributes to the stores, and the stores SCCM [installations] distribute to the POS terminals."

But attackers may not have needed to bother pushing malware to POS devices. "If a sufficient number of store controllers, or far less likely, true point-of-sale devices, were compromised to gather tens of millions of credit card numbers, then it is likely that configuration management software was used," cybersecurity expert William Hugh Murray, who's an associate professor at the Naval Postgraduate School, said via email. "However, Occam's Razor tells me it is far more likely that, in spite of the persistent use of the term 'point-of-sale' in [Target's] press releases, the compromise was of the enterprise application servers that take the transactions from the stores and pass them to brands."

Furthermore, if attackers enjoyed access to the configuration management software, they likely also had sufficient access credentials to compromise the processing servers, he said, which would have been a more centralized and thus straightforward attack.

"Except for the scale, the 'Target,' and the silence, we have no reason to believe that this breach is any different than the dozens treated in the Verizon Data Breach Incident Report, almost all of which were of application servers," Murray said. "The exceptions included a small number of fuel pumps and grocery stores where the legitimate POS device was physically swapped out for a compromised device."

Whatever the attack techniques, don't expect POS malware attacks targeting retailers to stop anytime soon. Indeed, an FBI advisory dated Jan. 17 and distributed privately to retailers -- and published Wednesday by Krebs -- warned that retail attackers were likely to continue their POS malware press. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors," the FBI said. "We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms' actions to mitigate it."

According to the FBI, it's seen 20 attacks in the past year that mirror the Target hack. Likewise, Visa last year released two security alerts detailing the increased use of POS malware, and detailed ways for retailers to defend themselves.

While the Secret Service and Target have remained tight-lipped about their investigations into recently hacked retailers, Attorney General Eric Holder Wed. told the Senate Judiciary Committee that the Justice Department hopes to file related privacy-violation and fraud charges against Target's perpetrators. "While we generally do not discuss specific matters under investigation, I can confirm the department is investigating the breach involving the US retailer, Target," Holder told the committee. He added that the Justice Department is actively attempting to identify "not only the perpetrators of these sorts of data breaches -- but also any individuals and groups who exploit that data via credit card fraud."

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant?Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Recommended Reading:
Editors' Choice
Amichai Shulman, CTO and Co-founder of AirEye
Biagio DeSimone, Enterprise Solution Architect, Aqua Security