This is just my supposition on how the Target breach occurred, but it is based on what has been released to date plus what limited knowledge I have of Target’s environment, the environments of other large retailers and my many years of penetration testing.
Fazio Mechanical Services
According to the latest reporting, Fazio Mechanical Services (Fazio) is believed to be the starting point of the Target breach. From what has been reported, a Phishing attack on Fazio yielded access to Fazio’s computer systems and network. In their statement regarding the breach, Fazio says:
“Fazio Mechanical does not perform remote monitoring or control of heating, cooling or refrigeration systems for Target.”
“Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.”
If we take Fazio at their word, Fazio did not have direct access to Target’s network. That means if Fazio was breached, that breach did not result in a direct path to Target’s network. Brian Krebs reported that he spoke with an ex-Target employee who told him that Target uses the Ariba Supplier Management solution for managing its external vendors. The Ariba system is available publicly on the Internet but it requires credentials in order to gain access to the application.
Based on these facts, my guess is that the Fazio attackers were likely separate from the Target attackers. Therefore, the Fazio breach is like most breaches; the attackers get in, probe around and then leave if nothing of value can be identified. That is not to say that they were not necessarily targeted for a way into Target, but I find it unlikely that Fazio was specifically targeted for the Target breach.
The Fazio attackers likely advertised the information and credentials that they gathered to other attackers on the Internet “underground” and sold them to whoever was willing to pay including the Target attackers.
In my opinion, the Russians that eventually sold the card information were probably not the actual attackers that retrieved the cardholder data from Target. However, they likely could have been behind the attack as the folks that instigated it and funded it. Other than selling the cardholder information, until these individuals admit their role, we will probably never know if they were just a fence for the information retrieved or if they were behind the attack.
In my scenario, the Russians began scoping out likely candidates for compromise and picked Target because they found information on the Internet “underground” and determined that it was likely possible to successfully get in and get information. Once the research was done, they then assembled a team to get the actual attack done.
In reading the various news accounts, the Secret Service indicated that the attack was sophisticated. A review of the infamous Microsoft case study, Target had implemented Microsoft Windows Server Update Services (WSUS) now part of Microsoft Service Center Operations Manager (SCOM) at all of their stores so that they could rapidly deploy updates to their stores in the smallest possible time frame. In the retail business, IT people get very small windows of opportunity to perform updates so this architecture would provide IT with the ability to stage updates and then deploy those updates as quickly as possible.
A lot of people have commented throughout the numerous discussions of the breach on Google+, LinkedIn and Twitter questioning how the attackers could have compromised so many POS systems so quickly. It is my opinion that this was done through SCOM.
But there is a huge problem with using SCOM when the software is not Microsoft’s – SCOM can be somewhat to very temperamental when it comes to deploying non-Microsoft software and updates. Over the years it has gotten better with some non-Microsoft solutions, but considering the deployment of malware via SCOM and having it work right the first time requires knowledge of not only SCOM but the Target computing environment.
This brings me to the fact that I believe an insider had to have been involved in the breach. Not necessarily an actual Target employee, although that cannot necessarily be ruled out, but more likely a knowledgeable contractor. Like all large corporations, Target outsources development to contractors that have offices and staff located all over the world. Those contractors also have their own contractors that are located all over the world. It is my opinion that the Russians compromised one or more contractors with development knowledge of Target’s POS application and deployment of the POS software. This was required to develop the malware from the BlackPOS code and develop a one-time successful deployment capability using SCOM. Whether or not these individuals were actually part of the attack team is debatable. They would only be needed to develop the solution and the SCOM deployment scripts and possibly procedures to avoid Target’s QA process.
Outsourced contractors in third world countries can be readily bought. People in the West forget that these developers can be making anywhere from cents per hour to only a few dollars an hour. That is why development work is outsourced to them as it is more cost effective than using developers where they are making one hundred dollars per hour or even more.
But that brings up an interesting conundrum in this breach. If a contractor was compromised, could they not still be involved in Target’s development efforts and just deliver the malware directly as part of their deliverable? I think that could have been a possibility, but it would have risked being discovered in Target’s code review, quality assurance and testing processes which is probably why the malware was not delivered by that method.
The attackers could have come from anywhere, but most likely are from Russia or one of the former Russian states such as Ukraine or Belarus. The reason this is most likely is that the people that sold the Target cardholder data were Russians and they would want people with their same background to execute the attack as well as having some amount of control over the attack team.
The attackers that broke into Target likely went shopping for ways into Target and found the Fazio Ariba credentials for Target as well as probably other credentials to other publicly available Target applications. The attackers either bought those credentials or had their Russian bosses purchase those credentials.
I had to put my penetration testing hat on to figure out how the Ariba credentials came into play. The reason is that if Ariba is available from the Internet to anyone, why would an attacker need credentials? Then it dawned on me. They needed the credentials in order to compromise Target quietly.
My rationale for this is that Target does a decent job at securing publicly facing applications, particularly since their 2007 breach. Assuming the Ariba application was properly implemented, doing an attack without the credentials would have alerted Target’s information security personnel and it would have been game over.
As a result, the attackers needed the credentials so that they could gain access to Ariba so that they then could compromise it with a cross site scripting attack, SQL injection or whatever they used to gain access to one or more of the Ariba servers so that they could then breach the rest of Target’s network, specifically the SCOM system(s). The reason this approach would be more likely to be ignored is that the attackers would have valid credentials and any anomalous activity would likely be written off by Target personnel.
This brings us to the next reason I believe an insider is involved. The timeline discussed thus far gives the impression that the breach was a fairly quick operation. The only way the breach could have been conducted so quickly is if the attackers had knowledge of where they needed to go to compromise the SCOM system.
That said, the database of Target guests that was also retrieved was likely collateral damage in that it was encountered during the attack and was taken so that the attackers did not walk away empty handed. The other possibility is that the database was used to test the data exfiltration process to ensure it would go undetected.
Once the attackers owned the Ariba system, they would then have had access to the administrators of Ariba. The insider would have given the attackers an idea of where the SCOM system was located and probably who had access. It then became a process of compromising one of those Administrators to gain access to SCOM. Because they were inside Target’s network, the administrators were likely compromised using an extremely targeted phishing attack using the internal email system. As a result, the phishing message would have looked even more than legitimate because it was internally generated and delivered. The message likely contained some sort of Word or Excel document that had backdoor software that would not be detected by the anti-virus solution.
However another option could have been used once the attackers were inside. They could have approached any of the administrators and pretended to be a contractor and asked for access to SCOM in the test environment. From there they could have staged their malware and then sent it through the QA process. Regardless of how they gained access to SCOM, the attackers had to have used the SCOM system to deploy their malware with the speed that they deployed it.
Creating the data dispersal server was a straight forward problem. With the insider’s knowledge, they knew where FTP was implemented and merely compromised the server to be their own collection point so as not to arouse suspicion. To get the data out of Target they used DNS as every system needs access to DNS. A lot of people have argued that Target should have seen the exfiltration of the data via DNS and have pilloried Target for their ineptitude. However, if the attackers were as sophisticated as they have been portrayed, they likely constructed their exfiltration system to mimic the size of valid DNS packets and thus only traffic volume would have been a possible trigger.
Is this scenario correct? We will not know until a final report is released if we ever see a final report that gives actionable information.
That said, I am sure there are a lot of you reading this and are shaking in your boots based on this scenario. That fear is likely based on the fact that you realize how ill equipped your organization is to deal with this sort of attack. And you should be scared. This is a war of escalation that we are waging. Organizations step up their game and the attackers up the ante on their side. Like the famous saying, “When chased by a bear, I only have to outrun the last person to save myself” is very true in this situation as well. Your organization’s security game only has to be better than the other organizations. But when an organization like Target is breached and they were considered to be at the top of the security game, what chance does an organization with mediocre security have?
The only saving grace might be is that your organization is flying under the radar. I say “might be” because, according to the majority of reports on the state of information security, most organizations have no idea that they have been compromised. That is because people rely on anti-virus and other technologies that have a poor track record of identifying malware and sophisticated attacks. And then, as we learned in this past week’s report on the Neiman Marcus breach, you can have information security personnel write off malware discovered as false positive results and let it re-infect for months without investigating or even worrying about what was going on.
It is easy to pillory the guy that got breached. However, a lot of you should look inside your own organizations before tossing stones. I would guess that most of you tossing those stones would not fair any better and likely worse than Target should your organization be breached.