Security Experts:

Report Examines Unanswered Questions Around Target Attack

Cybersecurity startup Aorato has published a report around the data breach suffered in 2013 by Target, which investigates some of the techniques used by the attackers to gain access to the company's networks.

The attack, which resulted in the theft of 40 million payment cards and 70 million personally identifiable information records, caused financial damage of tens of millions of dollars. In a statement made earlier in August, Target reported that, in the second quarter of 2014, it expects to record gross breach-related expenses of $148 million (partially offset by the recognition of a $38 million insurance receivable).

Since the breach came to light, all aspects of the story have been analyzed by the media and security experts, and now, based on publicly available information, Aorato has reviewed the steps taken by the attackers, from the HVAC (heating, ventilation, and air conditioning) contractor breach up to the theft of sensitive information from the retailer's networks.

In the first phase of the operation, the attackers installed malware (Citadel) on the systems of Target's HVAC contractor in an effort to steal credentials. Then, the stolen credentials were used to access one of the Web applications made available by the retailer for vendors. However, none of these applications the attackers had access to allowed the arbitrary command execution needed to compromise the underlying server. Experts believe that the cybercriminals leveraged a vulnerability in the application to upload a backdoor that enabled them to upload files and execute commands.

In the next phase, the attackers started searching the Target network for devices hosting sensitive information and point-of-sale (PoS) machines. This was most likely done through the Active Directory service, Aorato said.

After identifying the relevant targets, the cybercrooks stole an access token (NT hash) for a user account with domain admin privileges by utilizing an attack method dubbed "Pass-the-Hash." With the stolen token in hand, the attackers used Windows commands to create a new domain admin account that gave them persistency and access to additional services.

In phase seven, the attackers used the newly created administrator credentials to propagate to relevant computers. They used various tools to bypass firewalls and other network security solutions, and run remote processes on the machines that stood between them and the loot. Experts believe that the 70 million records containing personal information were stored in a database which the cybercriminals queried by using SQL-related tools.

Aorato assumes that the attackers went after PoS systems because Target was PCI compliant and it did not store credit card information in its databases. The 40 million payment card records were stolen with the aid of the Kaptoxa malware, which scans the memory of PoS machines in search for card data which it saves to a local file.

The files containing sensitive data were periodically copied to an FTP-enabled machine via a remote share. From this location, the files were later sent to an FTP account controlled by the attackers.

"Generally speaking, the Target attackers largely followed the general APT 'kill chain' attack model. However, the Target attack presents unique nuances to the model. These nuances stem from the fact that operations aiming to steal credit cards are inherently different from classic APT operations aimed at intelligence gathering and infrastructure sabotage," Aorato noted in its report.

"The main difference is that credit card-oriented attacks are bound to be revealed in a relatively short time as the monetization path of the attackers must include massive usage of the stolen credit cards that will get detected by the credit cards vendor’s fraud departments."

Researchers highlight the fact that in such credit card-oriented attacks, cybercriminals don't invest too much in infrastructure and automation. As in the case of Target, many operations are carried out manually with the aid of various tools; the only automated tasks are performed by the piece of malware used in the attack. In this particular attack, unlike many other APT attacks, the cybercrooks had not created a command and control (C&C) infrastructure, and instead operated everything manually from within the network.