menu
Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Blog > Business Insights > Target attack a two-pronged approach data firm says

Target attack a two-pronged approach data firm says

Gurdev Sethi
By | January 21, 2014


Facebooktwitterlinkedin

 “Very crafty, and sign of things to come.” –  Vince Berk, FlowTraq CEO

Vince was quoted in the following article just published in the St. Paul Pioneer Press, a publication located nearby to the Target Stores Minnesota headquarters.

Follow the link to the full story, and read Vince’s additional insights below.

Target attack a two-pronged approach, data firm says

St. Paul Pioneer Press

By Julio Ojeda-Zapata, January 22 2014

The now-infamous Target data breach exposing customers’ personal and financial information appears to have occurred in two distinct stages, with a nearly weeklong pause between the first and the second phases, a data-security company disclosed Thursday.

Seculert, based in Silicon Valley, said it has identified and scrutinized the malware that was used to compromise client data in what is being described as the most serious such data-security breach in U.S. history.

Click to read the full St. Paul Pioneer Press article.     

Vince Berk further comments about the report:

This information, combined with the findings published by Brian Krebs shows the depth of this attack.  Very crafty, and sign of things to come.  The attackers figured out a way to compromise the PoS systems, to capture credit cards.  But they were smart enough to realize that these systems are most likely not directly Internet connected, so therefore they used a “stepping-stone” within Targets trusted network.

This stepping-stone system was compromised, and known, in advance by the attackers, and they used it because it was reachable by the PoS systems, as well as being sufficiently Internet connected, to get the records out of the larger Target computer network.

It is a distinct possibility that the stepping-stone system was originally the attack vector that was used to infect the PoS systems, and might have been a target of opportunity.  The attackers might have looked for many systems in other retailer networks, and simply discovered this system at Targets network to be the right candidate for the attack they had in mind.

The key being that this stepping stone system must both be somewhat Internet connected, and have access to the (most likely) well-protected PoS systems.

Once the data was brought back to the stepping-stone machine, it could be exfiltrated to the virtual host in Russia, from where presumably additional steps were made to get the data back to the attackers.  Virtual servers are nice, because they can be destroyed, and with that all the evidence they may contain.

It is a well-executed attack that most likely took weeks or months of planning and data gathering.  Whether we consider this a surprise is a matter of debate.  The Morris-worm (the first true Internet virus) was actually extremely complex, using up to three attack vectors at the same time to further its spread.  Crafty attacks are not new, but I believe we are all intrigued by the complexity of this one.

Although this attack was complex, we must admit that we see complex attacks such as these are on the rise.  A sharp rise in fact.  This is to be expected.  As organizations are spending more time and money securing their networks, they make it harder for attackers to get to the data.  But by no means it is impossible.

Crafty attacks like this are not thwarted by building bigger walls.  Instead, they are found and subverted by paying close attention to network traffic, anomalies, and changes in host behavior.  The compromised stepping-stone system in Targets network was the key, and it must have been behavior mighty strange as the attackers were gathering information, and planning their attack.  This wasn’t an overnight process.

—Vince