Uploaded by Белек Курманбеков

Case Study - Anatomy of the Target data breach

advertisement
31/03/2023, 09:52
Anatomy of the Target data breach: Missed opportunities and lessons learned | ZDNET
Part of a ZDNET Special Feature: Security and Privacy: New Challenges
Home Tech Security
Anatomy of the Target data breach:
Missed opportunities and lessons
learned
Target hasn't publicly released all the details of its 2013 data breach, but enough
information exists to piece together what likely happened and understand how
the company could have prevented the hack.
Written by Michael Kassner, Contributor on Feb. 2, 2015
Target's infamous data breach happened just over a year ago. Are we any the wiser?
Have lessons been learned? Although not every detail has been made public,
experts have developed an unofficial attack timeline that exposes critical junctures
in the attack and highlights several points at which it could have been stopped.
The attack started on November 27, 2013. Target personnel discovered the breach
and notified the U.S. Justice Department by December 13th. As of December 15th,
Target had a third-party forensic team in place and the attack mitigated. On
December 18th, security blogger Brian Krebs broke the story in this post.
"Nationwide retail giant Target is investigating a data breach potentially involving
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
1/12
31/03/2023, 09:52
Anatomy of the Target data breach: Missed opportunities and lessons learned | ZDNET
millions of customer credit and debit card records," mentioned Krebs. "The sources
said the breach appears to have begun on or around Black Friday 2013 -- by far the
busiest shopping day the year."
Then things became interesting. Target informed about 110 million credit/debit-card
wielding shoppers, who made purchases at one of the company's stores during the
attack, that their personal and financial information had been compromised. To put
that in perspective, the attackers pilfered 11 gigabytes of data.
Anatomy of the attack
Now let's look at the sequence of events that precipitated the data breach. Had any
of these steps been noticed and countered, the attack would likely have fallen
apart.
1. Preliminary survey We don't know for certain if or how the attackers performed
reconnaissance on Target's network prior to the attack, but it wouldn't have required
much more than a simple internet search.
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
2/12
31/03/2023, 09:52
Anatomy of the Target data breach: Missed opportunities and lessons learned | ZDNET
Teri Radichel in this GIAC (GSEC) dissertation explains how the attackers may have
gleaned information about Target's infrastructure. "Reconnaissance would have
revealed a detailed case study on the Microsoft website describing how Target
uses Microsoft virtualization software, centralized name resolution, and Microsoft
System Center Configuration Manager to deploy security patches and system
updates," writes Radichel. "The case study also describes Target's technical
infrastructure, including POS system information."
The internet provides additional clues. "A simple Google search turns up Target's
Supplier Portal, which includes a wealth of information for new and existing vendors
and suppliers about how to interact with the company, submit invoices, etc.," adds
Krebs in this blog post. After drilling down, Krebs found a page listing HVAC and
refrigeration companies.
2. Compromise third-party vendor The attackers backed their way into Target's
corporate network by compromising a third-party vendor. The number of vendors
targeted is unknown. However, it only took one. That happened to be Fazio
Mechanical, a refrigeration contractor.
A phishing email duped at least one Fazio employee, allowing Citadel, a variant of
the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place,
the attackers waited until the malware offered what they were looking for -- Fazio
Mechanical's login credentials.
At the time of the breach, all major versions of enterprise anti-malware detected
the Citadel malware. Unsubstantiated sources mentioned Fazio used the free
version of Malwarebytes anti-malware, which offered no real-time protection being
an on-demand scanner. (Note: Malwarebytes anti-malware is highly regarded by
experts when used in the correct manner.)
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
3/12
31/03/2023, 09:52
Anatomy of the Target data breach: Missed opportunities and lessons learned | ZDNET
Chris Poulin, a research strategist for IBM, in this paper offers some suggestions.
Target should demand that vendors accessing their systems use appropriate antimalware software. Poulin adds. "Or at least mandate two-factor authentication to
contractors who have internal access to sensitive information."
3. Leveraging Target's vendor-portal access Most likely Citadel also gleaned login
credentials for the portals used by Fazio Mechanical. With that in hand, the
attackers got to work figuring out which portal to subvert and use as a staging point
into Target's internal network. Target hasn't officially said which system was the
entry point, but Ariba portal was a prime candidate.
Brian Krebs interviewed a former member of Target's security team regarding the
Ariba portal, "Most, if not all, internal applications at Target used Active Directory
(AD) credentials and I'm sure the Ariba system was no exception," the administrator
told Krebs. "I wouldn't say the vendor had AD credentials, but internal administrators
would use their AD logins to access the system from inside. This would mean the
server had access to the rest of the corporate network in some form or another."
Poulin suggests several attack scenarios, "It's possible that attackers abused a
vulnerability in the web application, such as SQL injection, XSS, or possibly a 0-day,
to gain a point of presence, escalate privileges, then attack internal systems."
Not knowing the details, makes it difficult to offer a remediation for this portion of
the attack. However, Poulin opines that IPS/IDS systems, if in place, would have
sensed the inappropriate attack traffic, notifying Target staff of the unusual
behavior. According to this Bloomberg Business article, a malware detection tool
made by the computer security firm FireEye was in place and sent an alarm, but the
warning went unheeded.
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
4/12
31/03/2023, 09:52
Anatomy of the Target data breach: Missed opportunities and lessons learned | ZDNET
4. Gain control of Target servers Again, Target hasn't said publicly how the
attackers undermined several of their internal Windows servers, but there are
several possibilities.
Radichel in the SANS dissertation offers one theory. "We can speculate the
criminals used the attack cycle described in Mandiant's APT1 report to find
vulnerabilities," mentions Radichel. "Then move laterally through the network...
using other vulnerable systems."
Gary Warner, founder of Malcovery Security, feels servers fell to SQL-injection
attacks. He bases that on the many similarities between the Target breach and
those perpetrated by the Drinkman and Gonzalez data-breach gang which also
used SQL injection.
5. Next stop, Target's point of sale (POS) systems This iSIGHT Partners report
provides details about the malware, code-named Trojan.POSRAM, used to infect
Target's POS system. The "RAM-scraping" portion of the POS malware grabs
credit/debit card information from the memory of POS-devices as cards are
swiped. "Every seven hours the Trojan checks to see if the local time is between the
hours of 10 AM and 5 PM," mentions the iSIGHT Partners report. "If so, the Trojan
attempts to send winxml.dll over a temporary NetBIOS share to an internal host
(dump server) inside the compromised network over TCP port 139, 443 or 80."
This technique allowed attackers to steal data from POS terminals that lacked
internet access.
Once the credit/debit card information was secure on the dump server, the POS
malware sent a special ICMP (ping) packet to a remote server. The packet indicated
that data resided on the dump server. The attackers then moved the stolen data to
off-site FTP servers and sold their booty on the digital black market.
Lessons learned
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
5/12
Download