Who would have thought that an HVAC system could lead to the data of millions of people being compromised? Target surely didn’t. Recently, it has come to light that the Target breach hackers likely gained access to the areas of its network where customer information was stored by remotely infiltrating the company’s HVAC system contractor.
Let’s break down how this particular Advanced Persistent Threat (APT) was able to access Target’s customer information:
- It all started with an email attack, according to information security expert Brian Krebs. The malware-laced email was likely sent out to a broad range of targets gleaned from Target’s public-facing vendor documentation. It was then downloaded by a contractor at Fazio Mechanical, a heating, air conditioning and refrigeration firm, hired by Target to maintain its HVAC system. The likely malware downloaded was Citadel, a password-stealing bot that is derived from the ZeuS banking trojan.
- The malware was undetected by Fazio Mechanical’s malware prevention software, the free version of Malwarebytes Anti-Malware. Because the company was not using an enterprise-grade or real-time solution, the malware was able to compromise the employee’s password, thus gaining access to Fazio Mechanical’s entire network. If Target had the right access control and central management mechanisms in place, this is where the malware would have been stopped.
- From there, the hackers connected to Target’s network and accessed the parts of its network that Fazio Mechanical had access to, its external billing system, called Ariba, and several project management-related portals. According to an unnamed source who was formerly employed by Target on its security team, “the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application.”
- The network lacked advanced authentication mechanisms, such as two-factor authentication, because, according to another source who managed Target vendors, “Target would have paid very little attention to vendors like Fazio, and I would be surprised if there was ever even a basic security assessment done of those types of vendors by Target.” Essentially, because of Target’s lack of preparedness, an experienced hacker had nearly unfettered access to its network after escalating Active Directory privileges. From there, it was a piece of cake to get into Target’s Point of Sale (POS) system data and extract credit card information.
The breach, which exposed the personal information of 70 million customers and 40 million credit card numbers, could have been prevented if Fazio Mechanical and Target had taken the proper network security precautions. As mentioned previously, Fazio Mechanical was likely not the first vendor associated with Target that was probed by hackers looking for a way to steal lucrative, sensitive data. APTs like this one try to exploit every potential attack vector, and it is up to enterprises to thoroughly prepare themselves by implementing best-of-breed systems.
Enterprises can secure remote access to their corporate networks and minimize the risk of breaches like this one by implementing VPNs that not only have advanced authentication mechanisms, but ones that can be centrally managed, which provide network administrators with a dashboard overview of the end devices and users that may pose a risk due to authentication issues, outdated VPN clients and more. Further, enterprises should implement remote access solutions that can interoperate and communicate with other network and security components via protocols such as IF-MAP, to nimbly adjust to attacks as they occur. For example, if an enterprise has implemented network and security solutions that include IF-MAP, components will be able to exchange security-related metadata and rapidly communicate a potential threat across the entire system if necessary, which would then trigger a response and prevent a threat from spreading. The time to be proactive is now.