Unless you happen to only shop at Wal-Mart, you probably have been well-versed and are extremely interested in the latest developments regarding the epic Target security breach. This will set the new bar as THE most elaborate retail heist in the history of the Internet. We discussed the latest this week on Fox Business. It is truly amazing that nearly 1,800 stores in the massive retailer’s network were compromised. Not to mention a key system that housed a tremendous amount of customer data. A heist of this caliber is done by the best of the best. One or more elite crime syndicates most likely performed most of reconnaissance and analysis on the Target mother ship.
The outcome of this detailed analysis yielded most likely that there were chinks in the armor of one of the world’s largest retailers. Security defenses and possibly human nature could have been taken advantage of and the results were in the form of a massive payout, one of financial and personal information for nearly one in three Americans. The network forensics of this breach continues to transpire. We will know more about the “what” and “how” in the coming weeks and months. It is safe to say that this will only get more interesting…
We know that some strain of memory scraping malware permeated the Target POS systems, and then parsed the payment information into digestible chunks. It could then be siphoned out of their network unknowingly and over protocols Target wasn’t necessarily watching for suspicious communications or attacker behaviors. Ultimately, the attackers exercised what appears to be a two-phased approach to compromising the 40 million credit and debit cards. This breach also included cards that were loaded with social security payments. This type of attack against the payment ecosystem was a classic “slow and low” approach.
The attackers first phase of the attack was to install the payment processing parser malware onto the POS systems. This process was most likely automated and not done manually by going to each register, one by one. This heist appears much more sophisticated than that. Historically, we have seen trusted patch management systems and configuration management platforms become compromised internally and subsequently leveraged to push malware out from what appears to be a trusted system update system. This is how the scale and stealth factor is achieved. It could have been one approach for the hackers to get the POS malware on the systems. Insider threat hasn’t been ruled out at this juncture as well. The memory parser then was executed and conveniently hooked into the POS binaries at the registers to capture and store in a miscreant managed database inside the Target infrastructure. The strain of malware was undetected in Target’s network.
The second stage of the attack was the critical one and often the toughest to pull off. Ultimately it was getting the payload out of the network using a command and control server and the FTP protocol to export it to the criminal’s safe haven. This was done with calculated intervals during the day and slow enough not to set off any alarms or suspicion from Target IT and security personnel.
But it got worse…It also appears another system was in play which led to the exposure and capture of nearly 70 million customer records that included email, phone number and addresses. I don’t think the attackers care too much about the “national do not call list”…. This system ultimately could have been a proprietary customer database or CRM system in which Target housed key information about customers and potentially their transactions. These analytics are extremely powerful for the monster retailer and if this system was indeed compromised, other telling information about us as consumers could be in the results of the exfiltrated data by these attackers and circling about in the cyber underworlds.
In conclusion, we will continue to learn more about this attack and it will serve as a major awakening not only for Target, but for consumers and other major retailers. We should all recognize and appreciate the level of professionalism and sophistication in which this heist was carried out. However, we should also understand that new innovation exists to thwart these types of targeted attacks. Target could have used a Custom Defense. This strategy not only focuses on advanced malware detection but also “slow and low” attacker behaviors and communications across ports and protocols in which they could have could have been inspecting. A new approach is needed. Take the target off your back today…