Target’s breach should mark the watershed line of the enterprise’s security. Not just because of the immense volumes of stolen data (40M credit cards details), or the financial damage that Target may be subject to (Target reported 61M in costs related to the breach until February 1st), but because of the APT techniques used in that process by non-state backed hackers on a strictly commercial target (pardon the pun). The attack should serve as a wakeup call for enterprises: Enterprise should consider themselves as a target to APT-like campaigns and prepare their defense accordingly.
Target breach in a Nutshell
Unless you’ve been living under a rock for the last two months, you are probably familiar with the details of the Target attack. For the slim chance that you are not, here’s a brief summary:
On November 2013, hackers breached Target’s network by using stolen credentials of an air conditioning subcontractor to access a system within Target’s internal network. From that system, the hackers were able to propagate through Target’s Windows based network and reach the PoS (Point-of-Sale) system. Then, the hackers installed a memory scraping malware inside the POS’s Windows machine. Later, the hackers used a Windows domain account to send the stolen credit cards details to a central repository within Target’s network. From there, the data was offloaded to a hacker controlled asset via FTP, probably to Russia. The attack carried on until Mid-December, resulting the theft of 40 million credit card details of Target’s customers, with many of them offered for sale on some black market websites. Target had reported the costs related to the breach through February 1st to be $61 Million.
The APT Kill Chain in Target’s Breach
We can see that Target’s attackers had carefully read the APT’s playbook and followed their Modus Operandi, also known as the “APT kill chain”.
The APT Kill Chain (Source Verdasys)
Here are some key elements of the APT kill chain as they were demonstrated in Target’s breach:
• Planning: The influential Security writer Brian Krebs had blogged about the “massive amounts” of internal documentation on vendors’ identity and the way they can interact with Target’s systems, including the system abused by the attackers, posted by Target on publicly available web sites. Krebs concluded that “many of these documents would be a potential gold mine of information for an attacker.”
• Lateral movement: Attackers needed lateral movement capabilities both to get in from their initial entry point (vendor’s accessible system) to their target (PoS system) and to get the data out of the PoS into a computer that can be accessed from the internet so the data can be exfiltrated. While no explicit information was released on the matter, the disclosed set of the publicly available IT tools used by the attackers, leaves very little room for doubt. According to Dell SecureWorks report , Attackers used “Elcomsoft Proactive Password Auditor password cracking tool” to obtain Windows passwords, and then used “Microsoft Sysinternals PsExec” and “Microsoft System Center 2012 SP1 Orchestrator” to run processes on the remote system with the stolen passwords.
• Target Identification: In this phase the attackers needed to identify the technical whereabouts of their target, Target’s PoS system. Once more, the set of IT tools used by the attackers sheds light on their doings. Attackers had used internal reconnaissance tools, such as the “Angry IP network scanner” and “DumpSec” that gather information about machine names, IP addresses, users and network shares.
• Data collection: Attacker collected data from PoS by installing the dedicated and previously unknown POSWDS malware. POSWDS reads the relevant PoS process’ memory and exhaustively scans it for valid credit card’s data.
• Data exfiltration: Data exfiltration was a two-staged process, since PoS machines were not connected directly to the Internet. First, the POSWDS malware would periodically send stolen credit card data to an internal dump server, by using Windows networking and credentials. Then, the attackers installed another dedicated malware to move stolen data from the internal dump server, through the firewall, and out to a drop site on the Internet using Windows’ built-in FTP client.
Was the Target Breach really an APT?
The breaking down of the APT term to its core elements, reveals that Target breach can be qualified as such:
• Advanced: attacker is capable of developing custom exploits. On Target’s breach at least two of the attack modules including the PoS malware, were previously unknown.
• Persistent: Mission oriented adversary. It’s evident that Target breach was the result of a long premeditated process that was targeting the retailer’s PoS during the peak season of black Friday and not some opportunistic attempt that got lucky by chance.
• Threat: the adversary is organized, funded and motivated. It’s not hard to imagine that criminal parties would be very interested in funding such an operation that has a very clear “cash out” path.
Some purists would argue that the Target Breach was not really an APT attack. Certainly, when the United States Air Force (USAF) analysts originally coined the term, back in 2006, they probably had much more sophisticated attacks in their mind, such as “Stuxnet”, in which Iran nuclear facilities were damaged by a malware. However, it seems that the APT definition is general and useful enough to include attacks such as the discussed Target breach as the modus operandi is very similar. The usefulness of the definition is demonstrated by the fact that the only security solution that had alerted on the attack, was an anti-APT solution that had identified the exfiltration of data from Target’s network as the APT’s communications.
The Security Lesson
The Target breach shows that APT attacks have commoditized and therefore should concern not only the government and defense industry, but probably every enterprise. To avoid being the next Target, enterprises should plan their anti-APT response: Deploy relevant security solutions and create appropriate procedures.