There are still more questions than answers about the Target
breach, but new insights are emerging that shine a light on the point-of-sale (POS) attack. According to Seculert, Dexter, a custom-made malware that’s been springing up over the last few months to infect POS systems, isn’t the culprit in the breach, which affected at least 70 million customers.
“First, the malware that infected Target’s checkout counters (POS) extracted credit numbers and sensitive personal details,” Seculert’s Aviv Raff wrote in a blog post. “Then, after staying undetected for six days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network."
With Dexter, on the other hand, malware injected into files hosted on Windows servers scrapes credit card numbers as they’re entered through the POS system.
According to Seculert, the malware in the Target breach began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked Web site on Dec. 2. These transmissions occurred several times a day over a two-week period. The cybercriminals behind the attack used a virtual private server located in Russia to download the stolen data from the FTP, the firm reports.
“They continued to download the data over two weeks for a total of 11 GBS of stolen sensitive ,” Raff said. “While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.”
A Key Lesson Learned
We caught up with Dwayne Melancon, chief technology officer at TripWire, to get his views on the latest revelations surrounding the Target breach. He told us identifying the malware used and how data was exfiltrated in the Target attack is helpful but one of the key questions in this breach is how every point of sale device in every Target store in the U.S. was compromised.
“This fact seems to indicate that the compromise came from deep inside Target’s network and implies that the attackers had detailed knowledge of Target’s infrastructure, as well as their patching and software deployment practices,” Melancon said. “This knowledge would allow them to craft an attack designed to take advantage of specific blind spots in Target's infrastructure.”
As he sees it, this kind of insider knowledge could have come from someone currently at Target or, perhaps more likely, from a past employee or a trusted business partner. Predictability is, in itself, vulnerability, he said, so if attackers know what you're going to do before you do it, it is easy to craft an attack that takes advantage of your habits.
“This breach underscores the importance of having a good understanding of exactly what is running on your network and implementing controls to protect your deployment process to ensure that only authorized, trusted, sanctioned payloads are deployed into your production environment,” he concluded.
Infect Once, Deploy Everywhere
Ken Westin, security researcher at TripWire, told us Seculert has answered one of the big questions surrounding this breach -- now we know how the credit card data was exfiltrated. However, he added, we still don’t know how the malware was propagated to every POS device in every Target store in the U.S.
“I believe the answer to this question is in Target’s IT architecture. All Target POS systems are updated from a single server in each store that receives POS software updates and disseminates them to the devices outside business hours,” Westin said. “The fact that every POS device was infected implies that the initial compromise was inside Target’s core IT infrastructure.”
“Once the attackers were inside the network they only needed to put an infected version of the POS software on the central hub that communicates POS patches to every store and then Target’s system would unknowingly propagate it across their entire infrastructure with incredible efficiency,” he said. “These attackers definitely used an ‘infect once, deploy everywhere’ strategy that was incredibly effective.”