root@dafthack:~#‎ > ‎

Target: A Breakdown of What Happened

posted Feb 5, 2014, 8:23 PM by Beau Bullock   [ updated Feb 5, 2014, 8:24 PM ]
Today, it has been revealed how the hackers that stole 40 million credit and debit cards from Target initially got in. I have been hesitant to report anything on this massive story because I have been waiting to hear how the initial compromise occurred. It is now known that the attackers stole a third party HVAC companies network credentials, and used them to login to Target’s network and deploy their malware. FAZIO Mechanical Services is a refrigeration and HVAC system company used by Target at a number of their locations. FAZIO’s network credentials for Target’s network are allegedly the source of this attack.

Before diving too deep into this story here is a brief timeline of what occurred:
  • Pre-Nov. 15, 2013Attackers stole FAZIO Mechanical Services (refrigeration and HVAC systems company) network creds for Target’s network
  • Nov. 15-28, 2013 - Used FAZIO creds to login to Target’s network and deploy malware (POSWDS) to POS devices
  • Nov. 15-28, 2013 - Setup exfiltration server (10.116.240.31) to collect data and transmit to drop servers
  • Nov. 27, 2013POSWDS malware began transmitting card data from all infected POS devices back to exfil server
  • Nov. 27-Dec. 15, 2013 - Exfil server malware (BladeLogic) FTP'd collected card data from exfil server to external drop servers off network in various locations (Miami, Brazil, etc.)
  • Dec. 11, 2013Malware sample uploaded to VirusTotal.com
  • Dec. 18, 2013 - Malware sample uploaded to Symantec's ThreatExpert
  • Dec. 18, 2013 - Krebs article indicating a breach
  • Dec. 19, 2013 - Target released a statement indicating that it had been the victim of a major credit card breach between Nov. 27 and Dec 15
Let’s start with the beginning. At the current moment we don’t have all the details. Without having all the details we can only speculate how the attackers got FAZIO’s credentials to Target’s network. It is possible FAZIO’s own network was compromised and the attackers were able to sniff the credentials off the network. Another avenue could have been password reuse. Perhaps the credentials FAZIO used to login to Target’s network they also used elsewhere. If they used the same credentials on another site that was compromised the attackers could have got them there. It hasn’t been stated how this login actually was used. Typically a third party vendor like this would have a VPN setup locked down to IP address. If Target was allowing them to VPN in from anywhere it is very possible that is all the attackers did too. Maybe Target had an external SSH server or remote desktop setup for them. Either way, the attackers were able to use this login to gain access to Target’s network on November 15, 2013.

Apparently, there are two separate pieces of malware involved in this attack, a collector malware that sat on the point of sale (POS) devices and sent data back to an exfiltration server, and an uploader malware that sent the collected data harvested from the POS devices to an external drop site. Between November 15th and November 28th is when the attackers deployed their custom-coded malware, and insured it was working correctly before exfiltrating any data. They deployed the initial collector malware to each POS device during this time. How it was deployed exactly is still not known. It may be possible that the attackers gained access to an internal software deployment server and used it to load the malware on Targets POS devices. This POS malware has come to be known as POSWDS. This piece of malware installs itself as a service using an almost identical name (svchosts.exe) to the Windows Service host process (svchost.exe). This is a very common tactic used by malware authors to hide in plain sight. Card data is written by this malware to %WinDir%\system32\winxml.dll. This file is periodically moved off of the POS device to an intermediate dump server using an external mount point. It has been reported that this internal Target server’s IP address was 10.116.240.31. It is believed that the user name used to transmit this data was “Best1_user”, and the password for this account was “BackupU$r”.  It is also believed that “ttcopscli3acs” is a Target internal domain name. The exact share location used to collect the card data was \\10.116.240.31\c$\WINDOWS\twain_32\. 

Once the attackers were able to transfer the card data to a centralized location they then found a way to send that data out of the Target network. BladeLogic is the name of the service the malware spawned on the exfiltration server. This service collected the card data from the POS devices and sent it off network. Something I find really interesting is the time at which this data was sent. Both the POS malware and the uploader malware were coded to only exfiltrate card data between the hours of 10 AM and 6 PM.  What that tells me is that the attackers wanted their exfiltration to look like normal every day network traffic. Instead of moving the data in the middle of the night when not much should be going on they only transmitted during the high activity time of day. 

Around December 11th is when the first samples of this malware were uploaded to VirusTotal.com. This could possibly indicate a time when Target personnel first became aware of the infection. 

On December 18th Brian Krebs posted that he received word from sources indicating a breach at Target.

On December 19th Target confirmed in a post on their website that payment card data had been stolen.

In the middle of the investigation into this breach Target found that 70 million Target users personal information was also stolen in this attack. This included name, email address, phone number, and mailing address. How this data was stolen has not yet been detailed but we can make a few observations based on the tools discovered on the Target network. The following are tools that were used in this attack:
  • QueryExpress.exe – Portable SQL client for MSSQL & Oracle DB’s
  • osql.exe – MSSQL query tool
  • osql.dll – MSSQL query tool resource DLL
  • lsql.exe – MSSQL query tool
  • netcat.exe – Network utility for transmitting data and making connections between hosts
  • psexec.exe – Microsoft Sysinternals tool for running processes on remote systems
  • ipscan.exe – Angry IP Scanner
  • dumpsec.exe – Somarsoft DumpSec. Dumps Access Control List info for files, registry, and network shares
  • bcp.exe – MSSQL bulk SQL copy tool
  • OrchestratorRunProgramService.exe – Microsoft System Center 2012 SP1 Orchestrator
  • portforward.exe – Network port forwarding tool
  • ppa_setup_en.msi – Elcomsoft Proactive Password Auditor password cracking tool
All of the database tools listed here make me think the 70 million customers whose personal information was stolen came from a database. It may be possible that an employee at Target had a file with this information sitting on their desktop but I have a feeling the attackers were able to access their database. 

How could Target have detected this?

The fact a third party companies credentials were used by the attackers initially to get in is not necessarily the third parties fault. An HVAC company should only need access to the network to check the A/C units when they are connecting in. In fact, it’s a PCI requirement:

8.5.6.a – Verify that any accounts used by vendors to access, support and maintain system components are disabled, and enabled only when needed by the vendor.
8.5.6.b – Verify that vendor remote access accounts are monitored while being used.

That being said Target should have had restrictive controls in place for this vendor and should have been alerted to any password brute forcing attempts.

Both of the pieces of malware used in this attack were not caught by anti-virus. The BlackPOS malware was uploaded to VirusTotal.com and not one of the 40+ anti-viruses flagged it as being malicious. In today’s threat landscape you can’t stop determined attackers from bypassing anti-virus. Anti-virus only works for known malware. Anything custom written or polymorphic will not be caught. Application whitelisting would have probably stopped this malware. What application whitelisting does is essentially the opposite of anti-virus. Instead of blocking known malware application whitelisting will only allow known-good files to run. This would have been an ideal solution for the POS devices as they generally should require little change.

The tools discovered after the attack are all very common hacker tools that should have thrown red flags on the network.

How the data was exfiltrated should have been stopped by egress filtering on their firewalls. Apparently the attackers found a system that had ftp access outbound to the internet. How they gained access to this system hasn’t been disclosed but judging by the fact a password cracking tool was found it may be safe to assume the hackers were able to gain access to an account used on this system. It’s also possible that the attacker used psexec to pass the hash from a different system previously compromised.

It’s possible that the 70 million customers whose personal information was stolen came from a database. Database security software that could monitor connections and only allow approved queries would have been extremely helpful in protecting this data.

In conclusion

This attack was very complex. It demonstrates how determined attackers can maneuver around security controls to gain access to what they want. The initial compromise of an organization always is seemingly easy. Whether it's a phishing message with a malicious payload, or stealing a third party vendors network credentials attackers always seem to find the crack in the wall that becomes a gaping hole. This wasn't the first time this level of attack has occurred and it certainly won't be the last. Maybe, the fact that this breach has made so much news will end up helping organizations get the backing they need to properly secure their networks. 

Disqus

The gadget spec URL could not be found