Question

In very basic terms, explain to the class how the data breach at Target occurred in the first place. Make sure you provide a Reference to an article in your posting that is hyperlinked so that students can also go to this article and read it, themselves, including the page(s) number(s) in that article where you obtained the information required to develop your posting here.

Answer 1

The attack started on November 27th, 2013; Target personnel discovered the breach and notified the U.S. Justice Department by December 13th. As of December 15th, Target had a third-party forensic team in place and the attack mitigated;  the breach appears to have begun on or around what is called as Black Friday 2013. Target informed about 110 million credit or debit card wielding shoppers, who made purchases at one of the stores of company during the attack, that their personal and financial information had been compromised. To put it in perspective, the attackers pilfered 11 gigabytes (GB) of data.

How the data breach at Target occured is

the attackers did exfiltrating of data from a complex retail network

We discuss the sequence of events that precipitated the data breach:

1. Preliminary survey We don't know for certain if or how the attackers performed reconnaissance on Target's network prior to the attack, but it wouldn't have required much more than a simple internet search.  The attackers may have gleaned information about Target's infrastructure. Reconnaissance would have revealed a detailed case study on the Microsoft website describing how Target uses Microsoft virtualization software, centralized name resolution, and Microsoft System Center Configuration Manager to deploy security patches and system updates.

The internet provides additional clues. A simple Google search turned up Target's Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc.

After drilling down, Krebs found a page listing HVAC and refrigeration companies.

2. Compromise third-party vendor The attackers backed their way into Target's corporate network by compromising a third-party vendor. The number of vendors targeted is unknown. However, it only took one. That happened to be Fazio Mechanical, a refrigeration contractor.

A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for -- Fazio Mechanical's login credentials.

At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection being an on-demand scanner. Target should demand that vendors accessing their systems use appropriate anti-malware software. Malwarebytes anti-malware is highly regarded by experts when used in the correct manner.

3. Leveraging Target's vendor-portal access Most likely Citadel also gleaned login credentials for the portals used by Fazio Mechanical. With that in hand, the attackers got to work figuring out which portal to subvert and use as a staging point into Target's internal network. Target hasn't officially said which system was the entry point, but Ariba portal was a prime candidate. Most, if not all, internal applications at Target used Active Directory (AD) credentials and I'm sure the Ariba system was no exceptionI wouldn't say the vendor had AD credentials, but internal administrators would use their AD logins to access the system from inside. This would mean the server had access to the rest of the corporate network in some form or another.

It's possible that attackers abused a vulnerability in the web application, such as SQL injection, XSS, or possibly a 0-day, to gain a point of presence, escalate privileges, then attack internal systems. A malware detection tool made by the computer security firm FireEye was in place and sent an alarm, but the warning went unheeded.

4. Gain control of Target servers Again, Target hasn't said publicly how the attackers undermined several of their internal Windows servers, but there are several possibilities. We can speculate the criminals used the attack cycle described in Mandiant's APT1 report to find vulnerabilities;Then move laterally through the network;;; using other vulnerable systems.

5. Next Target's point of sale (POS) systems Details about the malware, code-named Trojan.POSRAM, used to infect Target's POS system. The RAM-scraping portion of the POS malware grabs credit/debit card information from the memory of POS-devices as cards are swiped. Every seven hours the Trojan checks to see if the local time is between the hours of 10 AM and 5 PM. If so, the Trojan attempts to send winxml.dll over a temporary NetBIOS share to an internal host inside the compromised network over TCP port 139, 443 or 80.

This technique allowed attackers to steal data from POS terminals that lacked internet access.

Once the credit/debit card information was secure on the dump server, the POS malware sent a special ICMP (ping) packet to a remote server. The packet indicated that data resided on the dump server. The attackers then moved the stolen data to off-site FTP servers and sold their booty on the digital black market.

Securing massive amounts of connected systems is known to be technically challenging. Target security division attempted to protect their systems and networks against cyber threats such as malware and data exfiltration. Six months prior to the breach, Target deployed a wellknown and reputable intrusion and malware detection service named FireEye, which was guided by the CIA during its early development. Unfortunately, multiple malware alerts were ignored. Some prevention functionalities were turned off by the administrators who were not familiar with the FireEye system. Target Corp. missed the early discovery of the breach.

As we observe an increasing number of data breaches, these incidents bring us to rethink the effectiveness of existing security mechanisms, solutions, deployments and executions. Credit card breach has a huge negative impact on every entity in the payment ecosystem, including merchants, banks, card associations and customers

There are multiple theories on how the criminals initially hacked into Target, and none of them have yet been confirmed by Target Corporation. However, the primary and most well-supported theory is that the initial breach didn’t actually occur inside Target. Instead, it occurred in a third party vendor, Fazio Mechanical Services, which is a heating, ventilation, and air-conditioning firm.

Attackers first penetrated into the Target network with compromised credentials from Fazio Mechanical. Then they probed the Target network and pinpointed weak points to exploit. Some vulnerabilities were used to gain access to the sensitive data, and others were used to build the bridge transferring data out of Target. Due to the weak segmentation between non-sensitive and sensitive networks inside Target, the attackers accessed the point of sale networks.

Phases in the Data Breach:

Phase I: Initial Infection

'

v

Phase II: PoS Infection

'

v

Phase III: Data collection

'

v

Phase IV: Data exfiltration

'

v

Phase V: Monetization

Phase I: Initial Infection

At some point the Fazio Mechanical Services system was compromised by what is believed to be a Citadel Trojan. Due to the poor security training and security system of the third party, the Trojan gave the attackers full range of power over the company’s system.

Phase II: PoS Infection

Once they gained access into Target’s network they started to test installing malware onto the point of sales devices. The attackers used a form of point of sales malware called BlackPOS.

Phase III: Data collection

Once BlackPOS was installed, updated and tested. The malware started to scan the memory of the point of sales to read the track information, especially card numbers, of the cards that are scanned by the card readers connected to the point of sales devices

Phase IV: Data exfiltration

The card numbers were then encrypted and moved from the point of sales devices to internal repositories, which were compromised machines. During the breach the attackers took over three FTP servers on Target’s internal network and carefully chose backdoor user name “Best1 user” with password “BackupU$r”, which are normally created by IT management software Performance Assurance for Microsoft Servers. The stolen card information is then relayed to other compromised machines and finally pushed to drop sites in Miami and Brazil.

Phase V: Monetization

Sources indicate the stolen credit card information was aggregated at a server in Russia, and the attackers collected 11 GB data during November and December 2013. The credit cards from the Target breach were identified on black market forums for sell.

BlackPOS, seen on underground forums since February 2013, is believed to be the major malware used in the data breaches at Target (2013).

. With the increasing amount of data leak incidents in recent years, it is important to analyze the weak points in our systems, techniques and legislations and to seek solutions to the issue.

Reference-

Link

Internet Article "Target Breach: What Happened?" at site https://www.bankinfosecurity.com 2020

address=

https://www.bankinfosecurity.com/target-breach-what-happened-a-6312