The hackers who spent the holiday season shopping with at least 70 million stolen credit- and bank-card numbers got at them through one of Target’s vendors, the retailer said on Wednesday.
Target spokeswoman Molly Snyder, as quoted by the Wall Street Journal:
We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system.
Target didn’t specify how the theft was carried out nor what portal the thieves crept in through to commit the massive theft, which Target first confirmed in mid-December.
But even though Target didn’t give any details of the theft-via-vendor news, its actions point to possible vectors.
Specifically, as the WSJ reported last week, shortly after learning of the attack, Target shuttered remote access to two internal systems: a human resources website called eHR and a database for suppliers called Info Retriever.
A spokeswoman told Network World that in order to secure its network, in addition to turning off remote access to platforms, Target has also updated access controls.
In-depth details that originally came out of the forensic investigation were later scrubbed by security firms, but security blogger Brian Krebs has published copies of the original reports.
At this point, the US Department of Justice (DOJ) is investigating the breach, Attorney General Eric Holder told the US Senate Judiciary Committee on Wednesday.
The DOJ typically doesn’t discuss matters under investigation, Holder said, but it’s making an exception in the case of this massive breach.
He said:
We are committed to working to find not only the perpetrators of these sorts of data breaches - but also any individuals and groups who exploit that data via credit card fraud.
The theft, which apparently started the day before Thanksgiving, 27 November, and reached through the heart of Christmas shopping mania up until 15 December, involved the breach of data including customer names, credit or debit card numbers, card expiration dates, and CVVs (cards’ three-digit security codes).
Target admitted a few weeks ago that it found malware on its point-of-sale (PoS) systems.
Welcome to the poisoned-PoS club, Target. You join recently victimised retailers including craft store Michaels and US luxury retailer Neiman Marcus.
In fact, PoS theft is becoming so widespread that the US Federal Bureau of Investigations (FBI) recently warned retailers about it, saying that it’s been seeing the same type of malware cropping up since 2011.
The agency said that over the past year, it’s seen about 20 cases in which data was stolen using the same type of malware as that inserted onto Target’s credit and debit card swiping-machines, cash registers and other PoS equipment.
It’s not going away anytime soon, that’s for sure: the FBI says the profits are huge, and the PoS malware is both too cheap and too widely available on underground markets for thieves to resist.
Mind you, we don’t actually know yet whether rigged PoS devices are behind either the Target breach or the one that hit Michaels.
It certainly wouldn’t knock anybody’s socks off if PoS malware were to be involved, though.
As SophosLabs researcher Numaan Huq describes in an article about RAM scraper malware, this type of card fraud is ripe for setting us up to get card data plucked from our hands if we pull out the plastic to buy so much as a bar of chocolate.
In fact, “Buy candy, lose your credit card” is the name of a 2014 RSA security conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this particular type of card fraud, in February.
I highly recommend reading Numaan’s article about RAM scrapers. It lifts the hood on what one would imagine would/should be end-to-end encryption in PoS systems.
Image of door with target courtesy of Shutterstock.
BTW guys, your little blue ad – top right – says ” When the IT department is just you, get network security that just works.” Now, being an expat Brit of very mature years, “just works” tends to be interpreted as “only just works”, which infers that there are better products out there!
Well – if that is true there could be NO BETTER CASE for the dropping of the obsolete “Discretionary Access Control (DAC)” model for servers in favour of a more modern “Flexible Mandatory Access Control (FMAC)” system such as that offered in the SELinux functions of RHEL 6, etc..
Simple, getting a vendor’s credentials should be irrelevant to Target’s customers. Any vendor activating applications relevant to their function simply has an appropriate ENFORCED profile – one that simply isolates them to datasets/programs and the like relevant to their function – AND NO MORE.
Let’s talk about the responsibility of management and boards to provide information systems that are suitable for purpose and to make sure that these requirements are clear at specification and procurement time. BUT – will it happen without regulation? I doubt it!
what would be a control against retaining PII for which they have no business case?
The BMC credentials were used in the hack, yes, but only to perform file transfer operations. This is to hide from systems that would report unauthorized account access such as server logs, IPS, or SIEM correlation rules. Using the BMC credentials might even fool most secops analysts tracking an alert after finding approved, in-house software was simply running a job. This WOULD have triggered a high alert if there was an NBAD analysis platform in place, such as Lancope.
Krebs has already reported “But according to sources, the attackers broke in to Target after compromising a company Web server” in his 1/14 report. Malcovery added additional evidence and analysis in their January report. There was an entry through the perimeter, and it is pointing to SQL injection.
I see a lack of behavioral analysis at multiple layers allowing this breach. From the entry point bypassing their signature based WAF, to the endpoints infected with malware that was overlooked due to lack of priority on the signature, then the unauthorized account access using stolen creds. There is COTS technology available to address all of these breach points. The Target security teams were not complacent, they were unarmed.
After reading Numaan’s article on RAM scrapers, I will not be swiping my card at any retail location anytime soon. That is some pretty scary stuff.