Case Studies

An Easy Target

Open-CISO

Business is To Do Business. - Security???

The Target data breach of 2013 is considered one of the most significant data breaches in the history of the United States. In December of 2013, credit card numbers of almost 40 million customers were stolen from 2000 Target stores around the country by accessing data on the point of sale (POS) systems. POS is where the customer makes the payment for the products or services at a store. On Jan. 10, 2014, Target announced that Personally Identifiable Information (PII) data. I.e., names, phone numbers, addresses, and email addresses of up to 70 million customers, were stolen. In both types of data stolen, there was an overlap of 12 million people. So, in total, around 98 million people were affected. In estimation, almost 11 GB of data was stolen. The customers' stolen data was available on online black-market forums known as "card shops" for sale. The US Governing body, i.e., Senate Committee on Commerce, concluded in March 2014 that Target had missed opportunities to prevent the breach resulting in such catastrophic outcomes. The management of Target reported that the breach cost them over $61 million. It was also said that the security staff at Target had raised their queries regarding the known vulnerabilities of their POS systems before the breach. Still, no necessary steps were taken to fix the issues. It is believed that the attackers had access to Target systems for over a month before the breach was detected. Independent sources worldwide have made a rough estimation that the cost of fraudulent charges resulting from the stolen credit card numbers is from $250 million to $2.2 billion. There are over 80 lawsuits filed against Target.

Timeline of the Target Data Breach

  • Nov. 27 to Dec. 15 - Cybercriminals gained access to Target's network and could steal information on millions of debit and credit cards from the customers.
  • Dec. 18 - Brian Krebs, a Cyber security blogger, post's a story stating that Target has been the victim of a security breach involving millions of debit and credit cards.
  • Dec. 18 - An American Express spokeswoman confirms that the data breach occurred, and they've initiated their investigation.
  • Dec. 18 - The Federal Secret Service confirms to other media houses that it has launched its investigation on the data breach.
  • Dec. 19 - Target issues a statement confirming that credit and debit cards information of 40 million customers may have been exposed.
  • Dec. 20 – Gregg Steinhafel, Target CEO, apologizes to the customers and offers a discount to shoppers for the weekend as compensation for the terrible news.
  • Dec. 23 – United States Department of Justice steps into the investigation.
  • Dec. 23 - Target says the data breach was caused by malicious software on the POS card-swiping devices in the checkout aisles of its stores.
  • Dec. 27 - Target acknowledges that personal identification numbers to debit and credit cards were also exposed.
  • Jan. 3 – Banks around the country joined the "replace-them-all approach" program to issue new cards to their affected customers.
  • Jan. 10 - Target announces that the personal information of 70 million customers was also exposed during the breach, but there is an overlap with the previous financial data breach of 40 million people. At worst, the cybercriminals accessed data of up to 110 million people from Target's system.

How did they Breach ?

As the first step of any cyber-attack, the attackers spent significant time learning Target's supply chain interactions over a Google Search. The search revealed sizeable information about the vendors and the lists of HVAC and refrigeration companies. Additionally, with the Google search, the cybercriminals came across a case study on Microsoft site that described -- to deploy patches, how Target had used tools such as Microsoft virtualization software, Microsoft System Centre Configuration Manager (SCCM), and centralized name resolution. This case study also revealed Target's technical infrastructure in detail, including POS system information, which was the central point for the breach to occur.

After the recon, the attackers concluded to attack the vulnerabilities of the third-party vendor: Fazio Mechanical. A phishing email was sent to Fazio Mechanical, the refrigeration vendor of Target, almost two months before the breach occurred. Fazio Mechanical could have prevented the malware in the first place via real-time malware prevention tools. But the vendor was using a free version of the Malwarebytes Anti-Malware. The malware used was Citadel, a password-stealing bot program that was probably embedded in PDF or Microsoft document present in the email and then installed on vendor computer. The malware obtained the login credentials for the online vendor portal.

Once the attackers had the login credentials, they could gain network access to Target. A former security employee of Target indicated that it was probably Target's web portal: Ariba, which is an external billing system. The ex-employee also mentioned that the portal was not entirely isolated from the rest of the network. After getting access, the attackers used an administrative application BMC account with its default username and password to move within the network. Additionally, it is believed that NetCat.exe basic commands were used to load hacking-related commands to compromised systems. The attackers accessed Target's network for the first time on Nov. 12, 2013.

Once the attackers could access the network, it was time to establish a command-and-control system. Attackers used the vendor portal as the gateway to access other systems. The attackers performed reconnaissance on the Command-and-control systems to look for vulnerabilities present in other systems. Further infiltration on the network was done through this system. Moreover, additional reconnaissance was performed by the attackers from the system using network command tools. Finally, other hacking tools were downloaded to the system.

Security researchers believe that a vulnerability in a Windows Domain Controller was found by the attackers used to gain access to the POS systems. Except for centralized authentication, each retail store was an autonomous unit. The Microsoft case study could have probably hinted at the attackers to look for this centralized pivot point that ended up being a bonus for them. It is said that an automated update process performed the distribution of malware, and SCCM was the deployment method. The virus scanners available could not detect the malware as it was a custom "BlackPOS" malware. This malware was available for sale in the online black market for $1800-$2300 (US dollars). By Nov. 30, 2013, most POS systems in Target had this malware installed.

The server with network access to the Point-of-Sale systems served as a Command-and-Control system to the POS Malware infected systems. This Command-and-Control Dump server used another malware to retrieve data from POS systems to the dump server. When the cards are swiped, the data is taken from the memory stored in .dll file format. Additionally, the command-and-control dump server used its malware to retrieve customer data.

The attackers used customized ping packets to signal when data will be transferred from a Point-of-Sale machine to a compromised machine on the LAN. In addition, the windows tool - Netcat.exe might have been used to write data to TCP and UDP connections. The attackers hijacked the exfiltration on the Target network and installed another malware that provided data extraction functionality for stolen customer data. The attackers retrieved data using the default administrative username and password, i.e., "Best1_user" BackupU$r" respectively. The attackers updated the malware several times from Nov. 30 to Dec. 2. The intrusion detection system of Target triggered urgent alerts whenever the malware was updated each time, but no actions were taken from the security team. It was also reported that Symantec antivirus software used in Target infrastructure detected malicious behavior on this same server around Nov. 2, 2013.

On Dec. 2, the hackers sent data to their servers present worldwide with the data exfiltration server that passed the data to an external FTP server. The servers were believed to be located in Eastern Europe. The data was transmitted in clear text to the mapped location. FireEye software detected this exfiltration malware and the destinations to which the malware was sending data. Target used a software named FireEye, a security monitoring software that alerted the staff in India, who notified the malware detected to Minneapolis staff, but no action was taken. The Stolen Customer credit cards were sold on the online black market.

How it could have been prevented

Focusing on all vulnerabilities: Target was primarily focused on PCI compliance rather than the actual vulnerabilities present in the infrastructure. There are always some risks that don't come under the scope of the PCI requirements. Standards could indicate to the adversaries which the business or organizations have implemented security measures, so the attacker can easily take advantage of the vulnerabilities, not the PCI compliance checklist.

Implementing tokenization: The customer details could have been replaced with unique, irreversible tokens that the attackers would have trouble accessing or decoding, rather than relying on the traditional encryption methods.

Investing in cybersecurity measures: The breach could have been avoided if Target had additional cybersecurity precautions methods/tools. As a result, the expense of the security infrastructure would have been far lesser than the actual estimation cost in damages caused by the breach.
Importance of Effective cyber incident response plan

The greatest downfall during the breach was Target'sTarget's initial response. The security staff did not make an effort to analyze the alerts triggered. If the team had been more active and doing critical investigations on the warnings triggered, the attacks could have been stopped at some point in time. Third-party exposures must be considered. It is very vital to promote third-party security. For example, the initial point of attack for the breach was Fazio Mechanical. To prevent these types of third-party exposures, it is crucial to work with third-party vendors on the security practices and, if possible, to include incorporating cyber risk management within vendor contracts.

References:

Only Cybersecurity can nurture The Scale of Business
Cybersecurity is best when seeded into Business Functions. fnCyber™ assures you Direct and Uncomplicated Cybersecurity Consulting.

Contact Us

Get in Touch

mail
one@fncyber.com
location
Level 1, Salarpuria Knowledge City, InOrbit Mall Road, HITEC City, Hyderabad, Telangana 500081 India

Follow us on Social Media

linkedin
@fnCyber
twitter
@fnCyberSecurity