Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.  Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that had worked at a number of Target locations, as well as other top retailer chains.

Much to the chagrin of Target and the other retailers exposed over the past few weeks, this story is not going away anytime soon. For a more in-depth analysis I would recommend two additional articles from Brian Krebs. A closer look at the Target Malware and Target Hackers Broke in via HVAC Company.

According to reports, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

Hacker photo Feb 14

Specifically, credit card transactions are supposed to be safe even if the hacker has complete access to the network, because it is all supposed to be encrypted. The idea is that we really don’t expect John Chan’s Chinese Take-out to be running a particularly safe network, so we can assume that a hacker can easily break in to John Chan’s network. But even so, all that the hacker should be able to see is encrypted data, which would require nation-state level of computing power to decrypt, and even if decrypted, would not compromise anything other than reveal the fact that Milan seems to be fond of General Gao’s Chicken.

The “new” part of this attack is the use of Ram Scrapers – a new piece of software that, if installed on a point-of-sale computer, will steal the data right as it is being encrypted. Ram Scraping is actually quite an old technique – for more on Ram Scraping see here (login required).

That’s the last mile. But, what got Target wasn’t just the last mile – it was the attack path before the point-of-sale system. Now, details and news are beginning to emerge that the attack might have emanated from the network of an HVAC vendor that Target had hired.

The most telling piece of this is “it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores” along with “It’s not immediately clear why … that access would not be cordoned off from Target’s payment system network.”  Because of the massive size, dynamism, and complexity of today’s enterprise networks, such access from some unexpected point on the network to another is all too common and, as can be seen, can lead to massive security breaches.

This is an example of why knowing about the attack paths in an enterprise network is actually the crucial piece of analysis that is needed. Today’s state of the art focuses merely at the “critical assets” on the network – as an example “I think I am safe because I have beefed up security on my critical database server”. As you can see, this is a monumentally flawed security strategy – what you want to secure are access paths to the database server, not just the database server itself.

If you’re a CISO at a large city and I can show you how an attacker can get to your SAP system, or Air Traffic Control System, or the Water Supply SCADA systems, you’d be very concerned; that CISO doesn’t want anyone near these critical systems. What’s interesting is that CORE Insight could show him/her how an attacker can get to those systems. Insight doesn’t need to show him/her how an attacker could then change the valve settings and raise the level of chlorine in the drinking water to a near-fatal level, just getting to these systems is bad enough and worth preventing.

CORE Insight, in a very real way, could have predicted that point-of-sale systems are actually quite reachable by attackers. Insight, or anyone else, would not have been able to show what an attacker could do once he got to the point-of-sale systems, but that’s the whole point – a CISO would have easily said “I just don’t want anyone near my POS systems, so let’s start locking these paths down.”

We’ll learn more about this breach in the coming weeks, but what we do know already is that preventing hackers from getting to the critical systems is a prudent proactive approach to security. 

Milan Shah, Sr. Vice President, Engineering and Products