On Target, the 2013 Data Breach at Target
As much of the world is staying isolated at home, cybercriminals are having more time to beat away at your passwords. In fact, in June the rate of brute force attacks rose by 671%. That is a staggering increase and it looks like increased phishing via email is the most effective attack vector.
If an attacker is successful with a brute force attack, they could gain access to passwords, usernames, and passphrases. More importantly, a jeopardized account could lead to successful attacks on coworkers and their partners and vendors.
Taking a look at the Target attack in 2013, where the attacker (based out of Ukraine) first compromised the network of Fazio Mechanical Services, Inc.,(FMS) based in Sharpsburg, PA, a refrigeration and HVAC (Heating, Ventilation, and Air Conditioning) system control and repair company. Target uses FMS to keep its stores and food at a constant temperature and keep its refrigeration systems operational. FMS installs, maintains, and repairs these systems for all Target stores in the United States.
The attacker used stolen credentials for this attack, which they managed to steal from an unknowing employee at FMS, through a spear-phishing attack in an email that contained the malware. From November 15th to December 18th, hackers carried out this sophisticated attack against Target’s networks, with a spear-phishing email to FMS.
Sometime before the attack
The attacker had to do some reconnaissance prior to the attack. They either had an insider or they spent the time and effort to plan the attack and that required reconnaissance. They had to know who their third-party vendors and partners were, have a basic understanding of how their internal networks are set up, and so on.
Some of this research could be from using Google and finding out what intelligence is already online. In fact, Krebsonsecurity.com reported on his blog that “A simple Google search turns up Target’s Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc. After drilling down, Krebs found a page listing HVAC and refrigeration companies.
Maybe it was with help from a 2011 Microsoft customer case study, in which Microsoft details how Target is going to a Virtualization solution, this was removed from Microsoft’s servers in 2016 but is still online with the WayBackMachine.
Just six months prior to the attack, Target invested $1.6 million in a malware detection tool made by the computer security firm FireEye. FireEye had a team of security specialists in Bangalore, India to monitor its computers around the clock.
Target gets certified as PCI-DSS Compliant (Payment Card Industry Data Security Standard). PCI Compliance is an information security standard for organizations that handle branded credit cards from major card schemes. It is designed to help secure payment systems. Becoming PCI Compliant is a very costly, long endeavor and requires constant upkeep.
The attacker targets FMS as their target and the attack vector was a spear-phishing email sent to an FMS employee, all the employee had to do was click on the link or open the attachment. (source) According to investigators, the spear-phishing email that fooled the employee at FMS came from an account marked “Target International”, with the victim’s own supervisor listed as the sender, and the subject line was referencing a project that the victim is currently working on. (source) When the employee believed the email was real, clicked on the link, or opened the attachment, they unknowingly launched Citadel (malware that targets password managers).
It is important to note that FMS does not nor did not perform remote monitoring of the systems installed at Target as suggested by some experts. (source) It is also important to note that FMS might have not been the only vendor that works with Target, to be targeted by a spear-phishing email like that one sent to FMS, however, they were the ones that clicked the link or opened the attachment.
FMS actually didn’t know that they were compromised. The company’s primary method of detecting malicious software on its internal systems was the free version of Malwarebytes Anti-Malware.
As Krebsonsecurity.com notes: To be clear, Malwarebytes Anti-Malware (MBAM) free is quite good at what it’s designed to do – scan for and eliminate threats from host machines. However, there are two problems with an organization relying solely on the free version of MBAM for anti-malware protection: Firstly, the free version is an on-demand scanner that does not offer real-time protection against threats (the Pro version of MBAM does include a real-time protection component). Secondly, the free version is made explicitly for individual users and its license prohibits corporate use.
The malware installed, the attacker only needed to wait for the right level of credentials to be passed and caught by the Citadel malware. Once they had that, they were able to fully compromise the FMS network, and after a few more attacks, they were able to vault into Target’s payment system network. Stealing 40 million credit and debit cards (out of 110 million that the system stored) and sensitive personal information about another 70 million shoppers, one of the biggest data breaches to hit a U.S. retailer.
With access to FMS, the attacker exploited a Web Application vulnerability in xmlrpc.php on the Ariba billing system, a system that is exclusively used for electronic billing, contract submission, and project management between Target and FMS (plus other partners/vendors Target works with). Once exploited the web interface between FMS and Target Headquarters. They used this vulnerability to run a PHP shell to hide in plain sight, by naming their web shell after the file they used to gain entrance, xmlrpc.php thus hiding plain sight.
Now they had access to an interface within Target’s internal network, the Ariba system, they were able to exploit administrative credentials for the Active Directory server. They were able to query Active Directory with LDAP to find servers and other servers and then find one that contained the string MSSQLSvc, a database service. This gave them target names and then they could query for IP addresses.
Armed with target names and IP addresses for those targets, they then used a well-known attack technique to obtain the NT hash so they could impersonate the Active Directory account with administrator rights, in this case, they targeted a well-known account name for BMC Software product that Target is using.
To ward off the threat of the compromised account changing the password for BMC Software, they established a new domain administrator account. They again hid right in plain sight, by naming this account the same name used by BMC‘s Bladelogic Server Automation product.
The next step is to scan the network to detect what assets are on the network. This was done by using the freeware tool “Angry IP Scanner“, an open-source and cross-platform network scanner.
Now armed with a map of the network, they were able to tunnel from computer to computer bypassing security measures.
Once they made it to their target, which was the database of the payment system, they only needed to copy the database in bulk, but this is where PCI Compliance presented the attackers with an obstacle. Since Target was PCI compliant, meaning that they did not store any credit card-specific data, the attackers had to then attack the Point of Sales (PoS) themselves, which was vulnerable.
The attack on the PoS system was accomplished by installing malware on the machines themselves that performed what is known as “RAM scraping”. The malware was designed to scan the memory of infected PoS machines and save any credit card information to a file all unencrypted in plaintext.
A Dell SecureWorks report shows that the attackers also installed malware, designed to move stolen data through Target’s network and the company’s firewall, on a Target server. The attackers reportedly first installed three variants of this malware on November 30. FireEye in Bangalore, India, actually detected the activity and alerted Minneapolis, who did nothing.
According to a Bloomberg Businessweek report, Target’s FireEye malware intrusion detection system triggered urgent alerts with each installation of the data exfiltration malware. However, Target’s security team neither reacted to the alarms nor allowed the FireEye software to automatically delete the malware in question. However, experts state that it is commonplace to disable the automatic features. Target’s Symantec antivirus software also detected malicious behavior around November 28, implicating the same server flagged by FireEye’s software.
Just before midnight on December 2 and just after midnight on December 3 the attacker once again updated the malware and once again, FireEye actually detected the activity, who once again alerted Minneapolis, who again did nothing. (source)
On December 2, they had the data in unencrypted files and they just needed to exfiltrate these files. They were able to create a remote file share on an FTP-enabled workstation. Then they only needed to FTP to that workstation and get the files.
Analysis of the malware by Dell SecureWorks found that the attackers exfiltrated data between 10:00 a.m. and 6:00 p.m. Central Standard Time, presumably to obscure their work during Target’s busier shopping hours.
Over the next two weeks, the attackers collected over 11 GB of stolen information from a Russian-based server.
Target management wasn’t made aware of the attack until December 12th, when the U.S. Department of Justice contacted Target about a possible data breach on their network.
By the 14th, Target had hired third-party forensics teams.
By the 15th, Target confirms the breach and removes most of the malware, causing the attackers to lose their foothold in the Target network, effectively stopping the attack and the exfiltration of data.
On December 19, 2013, Target publicly confirmed that some 40 million credit and debit card accounts were exposed in a breach of its network, with the following statement:
Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions and has identified and resolved the issue.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret
any inconvenience this may cause,” said Gregg Steinhafel, chairman, president, and chief executive officer, of Target. “We take this matter very seriously
and are working with law enforcement to bring those responsible to justice.”
Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and
financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among
other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.
It is interesting to note that by December 20th, the stolen cards were already for sale in “card shops” – an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.
Krebsonsecurity.com reported – Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card. (source)
On January 10, 2014, Target disclosed that non-financial personal information, including names, addresses, phone numbers, and email addresses, for up to 70 million customers was also stolen during the data breach. The breach consisted of over 11 gigabytes of data.
FMS releases a statement about the attack (pdf)
All this could have been stopped
This could have been stopped if Target and FMS implemented some of the following:
- Why didn’t the security center in Minneapolis do anything?
- Lack of network segmentation, why was the PoS system on the same network as the rest of Target’s networks?
- Turning off unused services like xmlrpc.php and FTP
- Changing passwords frequently or using 2FA
- Monitoring sensitive groups and accounts
- Having Antivirus installed on the PoS machines
- Educating employees about Phishing
- Locking down the network to not respond to ping
- FMS claims it is in full compliance with industry practices, but they weren’t
- Require vendors that access Ariba and other similar portals to use 2FA
- Keep software up-to-date with proper patching cadence
- Penetration testing
The one big lesson here that everyone should learn is to NOT trust your partners and contractors. This trust between Target and Fazio Mechanical Services was the downfall of both parties.
To illustrate the lack of segmentation, the Verizon audit team supposedly accessed a cash register after they compromised a deli counter scale that was located in a different store (Krebs, 2015).
The audit team also found significant problems with the enforcement of password policies. Target maintained a password policy that included industry-standard practices, however, investigators found multiple files stored on Target servers that included login credentials for various systems. (Krebs, 2015)
The Verizon security consultants identified several systems that were using misconfigured services, such as several Microsoft SQL servers that had a weak administrator password, and Apache Tomcat servers using the default administrator password. Through these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and eventually gain domain administrator access. (Krebs, 2015)
The use of weak passwords was apparently rampant within the Target infrastructure, and the security investigation team was able to crack over 500,000 passwords, representing 86% of identified accounts, to various internal Target systems.
For example, the Verizon consultants found systems missing critical Microsoft patches or running outdated [web server] software such as Apache, IBM WebSphere, and PHP. These services were hosted on web servers, databases, and other critical infrastructure. These services have many known vulnerabilities associated with them. In several of these instances where Verizon discovered these outdated services or unpatched systems, they were able to gain access to the affected systems without needing to know any authentication credentials. Verizon and the Target Red Team exploited several vulnerabilities on the internal network, from an unauthenticated standpoint. The consultants were able to use this initial access to compromise additional systems. Information on these additional systems eventually led to Verizon gaining full access to the network – and all sensitive data stored on network shares – through a domain administrator account. (Krebs, 2015)
The Lessons Learned
A corporate webpage describes changes made by the company regarding its security posture, including the following:
- Improved monitoring and logging of system activity
- Installed application whitelisting POS systems and
- Implemented POS management tools
- Improved firewall rules and policies
- Limited or disabled vendor access to their network
- Disabled, reset, or reduced privileges on over 445,000 Target personnel and contractor accounts
- Expanded the use of two-factor authentication and password vaults
- Trained individuals on password rotation
Target faced $292 million in losses before their cyber-insurance policy paid $90 million Their losses include:
- The cost to reimburse banks for the reissue of millions of credit and debit cards
- Fines from credit card brands for non-compliance
- Customer service costs
- Legal fees
- Credit monitoring for the millions of customers affected by the breach (source)
- Costs of third-party forensics teams (from the same company (Verizon); a “data breach task force” advice team and a Professional Forensics Investigations (PFI) team (source)
- New EMV (Europay, MasterCard, and Visa) compliant POS terminals in all of its stores nationwide (source)
- Higher insurance rates – Target had at least $100 million of cyber insurance and $65 million of directors and officers liability coverage (source)
- Hired teams of Cyber Security Analysts
- Loss of customers (Consumer trust) (source)
- Money was lost when Target offered 10% discounts immediately after a breach was disclosed to the public to entice shoppers (source)
- Target’s sales fell 3-4% during the 2013 Christmas holiday period (source)
- Drop in stock price by 10% (source)
- $10M settlement with Target customers for losses (source)
- $18.5M settlement with 47 states (source)
- $19M settlement with Mastercard (source)
- $67M settlement with Visa for losses (source)
- $39.4M settlement with MasterCard and other banks for losses (source)
- Cost of credit card monitoring services to millions of people
Costs not in the above total
- CEO Gregg Steinhafel (been with Target for 35 years) was forced to resign (He was the CEO, President, and Chairman of the Board) (source)
- CIO Beth Jacobs was forced to resign (source)
- Legal costs from the recently settled lawsuit against ACE American Insurance Co., Target’s insurance company (source)
Consumers Didn’t Get a Good Deal
Only about 226,000 consumers filed for compensation from Target. They had to provide evidence of a loss or, if they lacked documentation, assert they suffered certain kinds of trouble, such as having to dispute fraudulent charges or overdraft fees. Individual payouts are capped at $10,000. However, the vast majority of claims are undocumented and would pay only $40. Care is in line for just $10 million, while attorney and administration costs hit $13 million. (source)
Interesting reading – PCI Standards for 2013