Report: Target Hackers Used Default Vendor Credentials; Justice Dept. Investigating

The attackers behind the Target data breach may have used hardcoded default credentials in system management software move laterally on the retailer’s network and exfiltrate stolen payment card data.

Attorney General Eric Holder told members of a Senate Judiciary Committee yesterday that the U.S. Justice Department is investigating the Target data breach.

Target has already brought in the Secret Service and a computer forensics company to look into the break-in, which reportedly lasted between Nov. 27 and Dec. 15, the height of the Christmas shopping season.

Holder’s confirmation comes on the same day that website Krebs on Security reported that the hackers behind the breach deeply penetrated Target’s network to set up a command server and steal credit card numbers and personal information from infected point of sale systems.

Journalist Brian Krebs said a hardcoded user name and default password associated with a malware sample matches that used by a product called Performance Assurance for Microsoft Servers from system management software maker BMC Software.

The user account associated with the user name Best1_user is installed by the product to perform routine management, and its only privilege is to run batch jobs. Experts have speculated that the attackers could have been moving the stolen data in this way to outside servers.

Target spokesperson Molly Snyder told Threatpost this morning that the company had no comment on Krebs’ report. “The criminal and forensic investigations are active and ongoing,” Snyder said.

Krebs’ report also quotes a private reportDell SecureWorks shared with its customers that includes an analysis of the malware used. Dell SecureWorks said two types of malware were used: the first is uploaded to point of sales systems and steals payment card data from memory; the second is used to exfiltrate the data to the attackers’ servers. The secret report confirms the attackers likely used the BMC software to move laterally on the Target network.

The report also goes into detail about the memory-scraping malware used to grab card data from point of sale systems before it is encrypted and sent to a payment processor. There are similarities, Dell SecureWorks said, to the BlackPOS malware which is being sold underground by a criminal who goes by the handle ree4. Similar strings in BlackPOS and the Target malware samples suggest a link, but the report says that is not likely.

“A more likely scenario is that the threat actors responsible for the Target breach possess the original memory monitor source code and used it as a foundation for their custom malware,” the report said.

RAM-scraper malware goes back a half-dozen years and experts said it has been a plague in the retail and hospitality industries, which often run point-of-sale systems on woefully unpatched Windows software. The Target hackers, Krebs reported, citing sources at Malcovery,  likely broke into the corporate network via SQL injection attacks. Experts told Threatpost when reports of the memory-parsing malware were part of the Target attack that the hackers would have had access to the Target network for some time in order to install malware on the POS terminals.

“The Target breach is so huge, either the attackers used some kind of bulk method like access to Target’s servers or somewhere else where the credit card data is being stored, or they had broad access to a large number of their point of sale terminals for an ongoing basis,” said Nate Lawson of Root Labs.

The Target breach grew quickly from 40 million credit and debit card numbers to also include personal information on as many as another 70 million, potentially putting 110 million at risk for identity theft and fraud.

“In the case of an organization like Target, you’re looking at an extremely complex environment with hundreds of thousands of employees, systems, sites, and vendors; every aspect represents some level of risk,” said Rapid7 global security strategist Trey Ford. “The problem is that it’s impossible to make every one of those elements bulletproof and traditional incident detection systems aren’t looking for deceptive activity. Attackers left undetected for a sufficient amount of time can do just about anything they want.”

Suggested articles