Let’s not forget Target.
An executive summary of the Target data breach
Introduction
Malicious hackers obtained access to Target’s internal sprawling network and were able to navigate laterally and infect POS (point-of-sale) systems and steal credit/debit card information of 70 million customers. Some of the lessons learned include introducing multi-factor authentication, improving monitoring and logging of system activity and improving firewall rules and policies. (Kassner, 2/2/15)
Analysis
1) Reconnaissance
A google search shows Target’s Supplier Portal, which includes a wealth of information for new and existing vendors. These documents were not placed behind any firewalls and were open to the public which exposed the Information infrastructure of Target. A simple reconnaissance would have revealed a detailed study on Microsoft's website which shows how Target used Microsoft virtualization software, centralized name resolution, and Microsoft System Center Configuration Manager to deploy important security patches and systems updated. (Kassner, 2/2/15)
2) Compromised third-party vendors
The hackers used “Citadel” (malware) -variant of Zeus banking trojan- to collect the login credentials of Fazio Mechanical, a refrigeration contractor for Target. Citadel can usually be detected using Malwarebytes anti-malware, but due to a lack of strong policy, Fazio was using a free version which does not have auto-scanning. The anti-malware was used incorrectly and is probably the main reason the breach occurred. (Kassner, 2/2/15)
3) Accessing Target’s Servers
Using the login credentials stolen from the Fazio, the hackers probably used the “Ariba portal” as a point of entry into the network. The portal used Active Directory (AD) credentials and the servers would have had access to the rest of the corporate network. “It’s possible that attackers abused a vulnerability in the web application, such as SQL injection, XSS, or possibly a 0-day, to gain a point of presence, escalate privileges, then attack internal systems.” (Poulin) They moved laterally through the network attacking other vulnerable systems. (Kassner, 2/2/15)
4) Targeting POS systems
A trojan was used to infect Target’s POS system, a RAM scrapper collected card information and would dump the data on a server from which the hackers would move the data out and sell them online.
Why the attack was successful?
There are many reasons, but the mains ones are Default and weak passwords (weak policies), missing critical patches for Windows and using outdated software such as Apache, IBM webspace, and PHP. Many of Target’s employees has higher-privileges than required and their general priority for security was low. (Kerbs 9/15)
If two-factor authentication was used by Fazio’s employees who had access to Target’s systems or if policies were strong enough that Fazio used the premium version of the anti-malware, this breach would probably not have happened.
Consequences for Target
There was a 46% drop in profits in the 4th quarter of 2013 and had to pay $18.5 million and had a $10 million-dollar class-action lawsuit.
Conclusion
A network is only as strong as it’s the weakest point and the Target breach showed us how important it is to reinforce all possible vulnerabilities. Constantly logging, monitoring and attacking your own network will improve security!
Sources
- Email Attack on Vendor Set Up Breach at Target — Krebs on Security (Links to an external site.)
- Inside Target Corp., Days After 2013 Breach — Krebs on Security (Links to an external site.)
- Anatomy of the Target data breach: Missed opportunities and lessons learned — ZDNet (Links to an external site.)
- Massive Target credit card breach new step in security war with hackers — NBC News (Links to an external site.)
- Target CIO Beth Jacob resigns in breach aftermath — Naked Security (Links to an external site.)
- Target Hackers Broke in Via HVAC Company — Krebs on Security (Links to an external site.)
- Target has $100 million of cyber insurance and $65 million of D&O coverage | Business Insurance (Links to an external site.)
- Target says it declined to act on early alert of cyber breach | Reuters (Links to an external site.)
- The Target Breach, By the Numbers — Krebs on Security (Links to an external site.)
- Timeline of Target’s Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer