Between November 27 and December 18, 2013, the Target Corporation’s network was breached. 40 million credit and debit card numbers and 70 million records of personal information were stolen. The ordeal cost credit card unions over two hundred million dollars for just reissuing cards.
Six months prior to the breach, Target deployed a well-known and reputable intrusion and malware detection service named FireEye, which was guided by the CIA during its early development. Unfortunately, multiple malware alerts were ignored. Some prevention functionalities were turned off by the administrators who were not familiar with the FireEye system. Target Corp. missed the early discovery of the breach.
The attack started in November 2013, when the attackers first penetrated into the Target network with compromised credentials from a third party vendor, Fazio Mechanical Services, which is a heating, ventilation, and air-conditioning firm. Then they probed the Target network and pinpointed weak points to exploit. Some vulnerabilities were used to gain access to the sensitive data, and others were used to build the bridge transferring data out of Target. Due to the weak segmentation between non-sensitive and sensitive networks inside Target, the attackers accessed the point-of-sale networks.
Around September 2013, the Fazio Mechanical Services system was compromised by what is believed to be a Citadel Trojan. This Trojan was initially installed through a phishing attempt. Due to the poor security training and security system of the third party, the Trojan gave the attackers full range of power over the company’s system. It is not known if Fazio Mechanical Services was targeted, or if it was part of a larger phishing attack to which it just happened to fall victim. But it is certain that Fazio Mechanical had access to Target’s Ariba external billing system, or the business section of Target network.
Due to Target’s poor segmentation of its network, all that the attackers needed to gain access into Target’s entire system was to access its business section. From there, they gained access to other parts of the Target network, including parts of the network that contained sensitive data. Once they gained access into Target’s network, they started to test installing malware onto the POS devices. The attackers used a form of point-of-sale malware called BlackPOS.
Once BlackPOS was installed, updated, and tested. The malware started to scan the memory of the POS to read the track information, especially card numbers, of the cards that are scanned by the card readers connected to the POS devices.
The card numbers were then encrypted and moved from the point of sales devices to internal repositories, which were compromised machines. During the breach, the attackers took over three FTP servers on Target’s internal network and carefully chose backdoor username “Best1 user” with password “BackupU$r”, which are normally created by IT management software Performance Assurance for Microsoft Servers.
Sources indicate the stolen credit card information was aggregated at a server in Russia, and the attackers collected 11 GB data during November and December 2013. The credit cards from the Target breach were identified on black-market forums for sale.
So, where did Target fall short?
- Target did not investigate into the security warnings generated by multiple security tools, e.g., FireEye, Symantec, and certain malware auto-removal functionalities were turned off.
- Target did not correctly segment their systems, failing to isolate their sensitive network assets from easily accessed network sections. The VLAN technique used for segmentation is reported easy to get around.
- Target did not harden their point-of-sale terminals, allowing unauthorized software installation and configuration. The settings resulted in the spread of malware and sensitive card information read from POS terminals.
- Target did not apply proper access control on various accounts and groups, especially the ones from third party partners. The failure resulted in the initial break-in from the HVAC company Fazio Mechanical Services Inc.
How were the attackers so successful at data exflitration?
- Multi-phase data exfiltration – Infected POS terminals did not send sensitive data to the external network directly. Instead, they gathered data to a compromised internal server, which was used as a repository and had access to external network. The multi-phase data exfiltration scheme minimized anomalous data flows across network boundaries.
- String obfuscation – Critical strings in the malware executables were obfuscated to evade signature-based anti-virus detection. The strings included critical process names for scanning and NetBIOS commands for uploading data to the internal repository.
- Self-destructive code – The malware avoided unnecessary infections to minimize its exposure. It destroyed/deleted itself if the infected environment is not within its targets. This behavior reduced the risk of being detected in an unfamiliar environment.
- Data encryption – The retrieved credit card information was encrypted in the file “Winxml.dll” in each POS terminal before it was sent to the internal repository. The encryption guaranteed that no credit card numbers are sent in plaintext, which hid the leak from traditional data loss prevention (DLP) systems.
- Constrained communication – Communications in the internal network were programed during office hours of the day. Busy office hour traffic helped hide anomalous communications between infected POS terminals and the compromised internal repository.
- Customized attack vector – Internal IP addresses and login credentials of compromised servers were hardcoded in the malware, which means the malware author was aware of the internal network. The countermeasures against detections were deliberately designed along with the data exfiltration process.